PGP recently held a webcast on key management, where there were several questions that we didn’t have enough time to answer during the broadcast. In this blog entry, you’ll find the answers to those questions.
We didn’t have time to answer all the questions during the webcast, but I wanted to circle back and provide you with a detailed answer.
Q: Do you need both PGP Universal Server and PGP Key Management Server? Or does PGP Key Management Server replace PGP Universal Server?
A: PGP Key Management Server is a new product based on some of the components of PGP Universal Server. PGP Universal Server is for the management and administration of keys used with PGP applications. A company would use PGP Key Management Server for broader management capabilities such as the administration of keys and certificates with custom applications and 3rd party software and hardware packages. PGP Key Management Server and PGP Universal Server may coexist in the same server instance, however.
Q: What are some of the things that make PGP Key Management Server different than PGP Universal Server?
A: The design of PGP Key Management Server centers on the ability to manage a broad set of keys. For example, from the administrative perspective, organizations typically manage keys by the application that created them, thus creating a fragmented administrative model. You manage one key with the admin console of application 1, and you manage the second key from application 2, even if both keys belong to the same user. PGP Key Management Server organizes keys by the consumer of the key material, thus making it easier to apply policy around that key.
The second major difference is the approach we took to add support for the various different ways to integrate an application to PGP Key Management Server (see the question below on Agent/SDK/API for an in depth explanation).
The third major area that was redone was the API interface, which was set up in an way to handle extendibility for easier integration today and support for emerging standards, such as OASIS KMIP, down the road.
Q: What about S/MIME?
A: PGP Key Management Server can generate X.509 certificates suitable for use with S/MIME.
Q: What about SSL?
A: PGP Key Management Server can generate X.509 certificates for use with SSL. One thing to keep in mind about SSL is that there are generally two types of uses for SSL. One is to make internal communications more secure by protecting server to server network traffic. The second is to provide server identification in order to establish a secure connection over an external untrusted network. The second use case requires a trust chain back to a pre-trusted root certificate, which essentially means that a web browser needs to be able to identify where the certificate came from. Users who need to use SSL in an externally facing network environment may be interested in learning more about PGP TrustCenter, which provides the trust chain needed to secure external network traffic.
Q: Where can I find more about Key Management?
A: Ramon Krikken, an analyst at Burton Group / Gartner is a subject matter expert in the enterprise key management space, and produces excellent in-depth reports. Burton Group provides its reports on a subscription basis only, so your organization will need to be a member of Burton Group in order to read that material.
Jon Oltsik is an analyst at Enterprise Strategy Group and covers key management on a regular basis in his writing and on his blog hosted on Network World.
IEEE recently hosted “Key Management Summit 2010”, and the website has video of the speakers and the slides available on its website.
Q: How do you provide keys to applications?
A: There’s basically three primary methods for getting a key to and from a server, and that’s through either an agent, an API, or an SDK.
The agent approach relies on a piece of software on the client to handle the interaction with the key server. The agent must first authenticate to the key server in order to establish what that particular agent may do. Once connected, the agent can then communicate to the server and perform key operations such as request a key from the server or push a key to the server.
PGP has a general purpose agent available that performs these functions, and it’s available on over 35 different operating system variants, including Microsoft Windows, Apple Mac OSX and various Unix / Linux variants.
The API approach pushes the complexity towards the server, but the application needs to know how to talk the API. Organizations that build their own custom software can take advantage of the API approach. With the adoption of mature open standards in the key management space, the API approach will become more mainstream.
The SDK approach is a middle ground between the agent and the API approach. Using an SDK, an organization can build the functions they need in order to integrate with a key server and provides tighter integration than the agent approach, but it does require familiarity with the process to integrate with the application code.
All three approaches are available with the PGP Key Management Server.