4 August 1998

4 August 1998, Internet Week:

IBM Will Give Away The Keys

Colorado Springs, Colo. - IBM's plan to give away its source
code for creating a public-key infrastructure may be the spark to
ignite widespread testing of the emerging standard. 

At The Burton Group's Catalyst Conference here last week, IBM said it
would make the source code of its Jonah PKIX project available at no
charge. The dramatic move attempts to push forward the Internet
Engineering Task Force's draft specification on Public Key
Infrastructure for X.509 Certificates (PKIX) and IBM's own e-business

The specification describes a standard for building a PKI-a set of 
services to deploy and use public-key security with digital certificates. 
The X.509 certificate standard has been widely embraced, but a PKI 
standard is pivotal for supporting applications such as secure messaging 
and E-commerce. 

"This is big. The concern here is to avoid proprietary PKI, which will 
kill electronic commerce," said Jamie Lewis, president of The Burton Group. 

IBM has endorsements from Intel, Netscape Communications, Security
Dynamics Technologies Inc., Sun Microsystems and General Motors

Tempering IBM's announcement is the fact that PKIX has yet to be approved
by the IETF. Although many PKIX drafts are near approval, IBM has
thrown itself into a debate on methods for securing messages and 
certificate requests. 

IBM's Jonah supports the Certificate Management Protocol (CMP), a draft
specification introduced last year by Entrust Technol-ogies Ltd., a leader 
in PKI technology. CMP overrides two de facto protocols-PKCS #7 and PKCS
#10-which are supported in products from such vendors as Microsoft,
Netscape and VeriSign Inc. 

"IBM's plan is great for the industry and will help it demonstrate the 
holes in the standard, but only IBM and Entrust support the CMP protocol. 
So they have created two standards," said Patrick Richard, chief technology 
officer at Xcert International Inc., which sells digital certificate 
products and services.

Some users welcomed the PKIX announcement but didn't lose sight of other 
issues that enterprises face. "PKI is not as easy as the vendors make it
out to be. Setting up a certificate authority is a social and processes
problem as much as a technology question," said Don Bowen, corporate
information services manager for a large heavy-equipment manufacturer. 

In other conference news, Novell said it will port Entrust's Entrust/
Alliance PKI to NetWare 5.0, and Netscape and VeriSign said they will 
add PKI support to their security products and services.