Security without Obscurity: A Guide to PKI Operations, 1st Edition (Hardback) book cover

Security without Obscurity

A Guide to PKI Operations, 1st Edition

By Jeff Stapleton, W. Clay Epstein

Auerbach Publications

343 pages | 87 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781498707473
pub: 2016-02-17
SAVE ~$14.99
eBook (VitalSource) : 9780429160332
pub: 2016-02-22
from $37.48

FREE Standard Shipping!


Most books on public key infrastructure (PKI) seem to focus on asymmetric cryptography, X.509 certificates, certificate authority (CA) hierarchies, or certificate policy (CP), and certificate practice statements. While algorithms, certificates, and theoretical policy are all excellent discussions, the real-world issues for operating a commercial or private CA can be overwhelming.

Security without Obscurity: A Guide to PKI Operations provides a no-nonsense approach and realistic guide to operating a PKI system. In addition to discussions on PKI best practices, the book supplies warnings against bad PKI practices. Scattered throughout the book are anonymous case studies identifying both good and bad practices.

The highlighted bad practices, based on real-world scenarios from the authors’ experiences, illustrate how bad things are often done with good intentions but cause bigger problems than the original one being solved.

This book offers readers the opportunity to benefit from the authors’ more than 50 years of combined experience in developing PKI-related policies, standards, practices, procedures, and audits, as well as designing and operating various commercial and private PKI systems.


"Finally a book that cuts through the dense fog surrounding PKI as an intellectual achievement to provide practical insights that can be applied with immediate benefit by the people charged with making PKI work. Security without Obscurity: A Guide to PKI Operations is a valuable reference that information security professionals will turn to again and again."

—Phillip H. Griffin, CISM, ISSA Fellow, IEEE Senior Member

"Jeff and Clay are ‘certifiable’ in this practical guide to public key infrastructure (PKI). Because PKI is an operational system employing asymmetric cryptography, information technology (hardware and software), operating rules (policies and procedures), security (physical and logical security), and legal matters, a holistic approach is needed. They have provided the chart essential to navigating the operational aspects—what takes PKI from theory to practice."

—Ralph Spencer Poore, CFE, CISA, CISSP, PCIP, ISSA Distinguished Fellow

Table of Contents


About This Book

Security Basics

Standards Organizations

Cryptography Basics




Key Management

Cryptographic Modules

PKI Building Blocks

PKI Standards Organizations

PKI Protocols: SSL and TLS

PKI Protocol: IPsec

PKI Protocol: S/MIME

PKI Methods: Legal Signatures and Code Sign

PKI Architectural Components

PKI Management and Security


Publication and Repository Responsibilities

Identification and Authentication

Certificate Lifecycle Operational Requirements

Facility, Management, and Operational and Physical Controls

Technical Security Controls

Certificate, CRL, and OCSP Profiles

Compliance Audits and Other Assessments

Other Business and Legal Matters

PKI Roles and Responsibilities

Certificate Authority

Registration Authority

Policy Authority


Relying Party


Security Considerations

Physical Security

Logical Security

Audit Logs

Cryptographic Modules

Operational Considerations

CA Architectures

Security Architectures

Certificate Management

Business Continuity

Disaster Recovery


Incident Management

Areas of Compromise in a PKI

PKI Incident Response Plan

Monitoring the PKI Environment Prior to an Incident

Initial Response to an Incident

Detailed Discovery of an Incident

Collection of Forensic Evidence

Reporting of an Incident

PKI Governance, Risk, and Compliance

PKI Governance

Management Organization

Security Organization

Audit Organization

PKI Risks

Cryptography Risks

Cybersecurity Risks

Operational Risks

PKI Compliance

Evaluation Criteria

Gap Assessment

Audit Process

Advanced PKI

Industry Initiatives

Certificate Trust Levels

Relying Party Unit

Short-Term Certificates

Long-Term Certificates



About the Authors

Jeff J. Stapleton is the author of Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity (CRC Press). Stapleton began his career at Citicorp Information Resources, St. Louis, Missouri, in 1982, as a software engineer writing 8-bit assembler code for a turnkey savings and loan teller system. He continued his work in the financial service industry at MasterCard International (St. Louis, Missouri), maintaining and developing credit card and debit card transaction applications on its global network, Banknet.

His introduction to cryptography began when he was assigned to develop a global key management system for MasterCard, and as part of that assignment, he began attending an Accredited Standards Committee (ASC) X9 Workgroup for retail banking security in 1989.

During his career, he has spoken at many conferences; participated in the development of numerous ANSI and ISO standards; and published various papers, articles, chapters, and his first book—Security without Obscurity.

W. Clay Epstein holds a bachelor of science in computer science from the University of Utah and a master of business administration in management information systems from Westminster College (Salt Lake City, Utah). He has international experience developing and managing public key infrastructures primarily for the financial services industry.

Epstein was the CTO for Digital Signature Trust Co., a start-up company formed to address the legal and technical issues of secure electronic commerce across the Internet, and one of the first licensed Certificate Authorities (CAs) in the United States. He was the third employee, responsible for the overall operations and strategic technology development, implementation, and maintenance of the various CA systems.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Networking / General
COMPUTERS / Security / General