Most books on public key infrastructure (PKI) seem to focus on asymmetric cryptography, X.509 certificates, certificate authority (CA) hierarchies, or certificate policy (CP), and certificate practice statements. While algorithms, certificates, and theoretical policy are all excellent discussions, the real-world issues for operating a commercial or private CA can be overwhelming.
Security without Obscurity: A Guide to PKI Operations provides a no-nonsense approach and realistic guide to operating a PKI system. In addition to discussions on PKI best practices, the book supplies warnings against bad PKI practices. Scattered throughout the book are anonymous case studies identifying both good and bad practices.
The highlighted bad practices, based on real-world scenarios from the authors’ experiences, illustrate how bad things are often done with good intentions but cause bigger problems than the original one being solved.
This book offers readers the opportunity to benefit from the authors’ more than 50 years of combined experience in developing PKI-related policies, standards, practices, procedures, and audits, as well as designing and operating various commercial and private PKI systems.
"Finally a book that cuts through the dense fog surrounding PKI as an intellectual achievement to provide practical insights that can be applied with immediate benefit by the people charged with making PKI work. Security without Obscurity: A Guide to PKI Operations is a valuable reference that information security professionals will turn to again and again."
—Phillip H. Griffin, CISM, ISSA Fellow, IEEE Senior Member
"Jeff and Clay are ‘certifiable’ in this practical guide to public key infrastructure (PKI). Because PKI is an operational system employing asymmetric cryptography, information technology (hardware and software), operating rules (policies and procedures), security (physical and logical security), and legal matters, a holistic approach is needed. They have provided the chart essential to navigating the operational aspects—what takes PKI from theory to practice."
—Ralph Spencer Poore, CFE, CISA, CISSP, PCIP, ISSA Distinguished Fellow
About This Book
PKI Building Blocks
PKI Standards Organizations
PKI Protocols: SSL and TLS
PKI Protocol: IPsec
PKI Protocol: S/MIME
PKI Methods: Legal Signatures and Code Sign
PKI Architectural Components
PKI Management and Security
Publication and Repository Responsibilities
Identification and Authentication
Certificate Lifecycle Operational Requirements
Facility, Management, and Operational and Physical Controls
Technical Security Controls
Certificate, CRL, and OCSP Profiles
Compliance Audits and Other Assessments
Other Business and Legal Matters
PKI Roles and Responsibilities
Areas of Compromise in a PKI
PKI Incident Response Plan
Monitoring the PKI Environment Prior to an Incident
Initial Response to an Incident
Detailed Discovery of an Incident
Collection of Forensic Evidence
Reporting of an Incident
PKI Governance, Risk, and Compliance
Certificate Trust Levels
Relying Party Unit