Enhanced descriptions from Syndetics:

An in-depth technical guide on the security technology driving Internet e-commerce expansion.
"Planning for PKI" examines the number-one Internet security technology that will be widely adopted in the next two years. Written by two of the architects of the Internet PKI standards, this book provides authoritative technical guidance for network engineers, architects, and managers who need to implement the right PKI architecture for their organization. The authors discuss results and lessons learned from early PKI pilots, helping readers evaluate PKI deployment impact on current network architecture while avoiding the pitfalls of early technical mistakes. Four technical case studies detail the do's and don'ts of PKI implementation, illustrating both successes and failures of different deployments. Readers will also learn how to leverage future PKI-related technologies for additional benefits.

Table of contents provided by Syndetics

• Foreword (p. xv)
• Acknowledgments (p. xvii)
• Chapter 1 Introduction (p. 1)
• How This Book Is Organized (p. 2)
• Part 1 PKI Background (p. 3)
• Part 2 PKI Details (p. 3)
• Part 3 Policy Issues (p. 3)
• Part 4 The Standard Applications (p. 4)
• Part 5 PKI Case Studies (p. 4)
• Part 6 Adding Value to PKI in the Future (p. 4)
• Appendices (p. 4)
• Who Should Read This Book (p. 4)
• Chapter 2 Cryptography Primer (p. 5)
• Symmetric Cryptography (p. 6)
• Symmetric Integrity Functions (p. 9)
• Asymmetric Key Management (p. 10)
• Digital Signatures (p. 12)
• Chapter 3 PKI Basics (p. 17)
• Simple Certificates (p. 18)
• The Business Card (p. 18)
• The Credit Card (p. 19)
• The Ideal Certificate (p. 21)
• Public Key Certificates (p. 21)
• Certificate Revocation List (p. 23)
• Certificate Policies (p. 25)
• Certification Paths (p. 26)
• Summary (p. 27)
• Chapter 4 Authentication Mechanisms (p. 29)
• Passwords (p. 30)
• One-Time Authentication Values (p. 31)
• Challenge/Response Authentication (p. 32)
• Time-Based Implicit Challenge (p. 33)
• Using One-Way Hash Functions (p. 33)
• Kerberos (p. 34)
• Obtaining a Ticket-Granting Ticket (p. 35)
• Authenticating to a Server (p. 37)
• Kerberos Public Key Initialization (p. 38)
• Certificate-Based Authentication (p. 39)
• Chapter 5 PKI Components and Users (p. 43)
• Infrastructure Components (p. 44)
• Certification Authority (p. 44)
• Issuing Certificates (p. 44)
• Maintaining Status Information and Issuing CRLs (p. 46)
• Publishing Certificates and CRLs (p. 46)
• Maintaining Archives (p. 47)
• Delegating Responsibility (p. 47)
• Registration Authority (p. 48)
• Repository (p. 49)
• Archive (p. 49)
• Infrastructure Users (p. 50)
• Certificate Holders (p. 50)
• Relying Party (p. 50)
• Build It or Buy It? (p. 51)
• Chapter 6 PKI Architectures (p. 53)
• Simple PKI Architectures (p. 54)
• Single CA (p. 54)
• Basic Trust Lists (p. 55)
• Enterprise PKI Architectures (p. 57)
• Hierarchical PKI (p. 57)
• Mesh PKI (p. 58)
• Hybrid PKI Architectures (p. 60)
• Extended Trust List Architecture (p. 61)
• Cross-Certified Enterprise PKIs (p. 62)
• Bridge CA Architecture (p. 64)
• Choosing the Best Architecture (p. 67)
• Chapter 7 X.509 Public Key Certificates (p. 69)
• X.509 Certificate Evolution (p. 70)
• ASN.1 Building Blocks (p. 70)
• Object Identifiers (p. 70)
• Algorithm Identifiers (p. 71)
• Directory String (p. 71)
• Distinguished Names (p. 72)
• General Names (p. 73)
• Time (p. 74)
• X.509 Certificates (p. 74)
• The Tamper-Evident Envelope (p. 75)
• Basic Certificate Content (p. 76)
• Certificate Extensions (p. 79)
• Subject Type Extensions (p. 80)
• Basic Constraints (p. 80)
• Name Extensions (p. 81)
• Issuer Alternative Name (p. 82)
• Subject Alternative Name (p. 82)
• Name Constraints (p. 82)
• Key Attributes (p. 85)
• Key Usage (p. 85)
• Extended Key Usage (p. 86)
• Private Key Validity (p. 87)
• Subject Key Identifier (p. 87)
• Authority Key Identifier (p. 88)
• Policy Information (p. 89)
• Certificate Policies (p. 89)
• Policy Mapping (p. 91)
• Policy Constraints (p. 93)
• Inhibit Any-Policy (p. 94)
• Additional Information (p. 94)
• CRL Distribution Points (p. 95)
• Freshest CRL (p. 96)
• Authority Information Access (p. 96)
• Subject Information Access (p. 97)
• Subject Directory Attributes (p. 98)
• Generating and Using Certificates (p. 98)
• End Entity Certificates (p. 99)
• User Certificates (p. 99)
• System Certificates (p. 100)
• CA Certificates (p. 101)
• CA Certificates within an Enterprise PKI (p. 101)
• CA Certificates between Enterprise PKIs (p. 102)
• CA Certificates in a Bridge CA Environment (p. 103)
• Self-Issued Certificates (p. 103)
• Trust Point Establishment (p. 103)
• Rollover Certificates (p. 104)
• Old Signed With New (p. 104)
• New Signed With Old (p. 104)
• Policy Rollover Certificates (p. 105)
• Old Signed With New (p. 105)
• New Signed With Old (p. 105)
• Chapter 8 Certificate Revocation Lists (p. 107)
• Basic CRL Contents (p. 107)
• The Signed Certificate List (p. 109)
• CRL Extensions (p. 111)
• Authority Key Identifier (p. 111)
• Issuer Alternative Name (p. 112)
• CRL Number (p. 112)
• Delta CRL Indicator (p. 113)
• Issuing Distribution Point (p. 114)
• Freshest CRL (p. 115)
• CRL Entry Extensions (p. 115)
• Reason Code (p. 116)
• Hold Instruction Code (p. 116)
• Invalidity Date (p. 117)
• Certificate Issuer (p. 118)
• Generating and Using CRLs (p. 118)
• CRL Coverage (p. 118)
• Full CRLs (p. 119)
• CRL Distribution Points (p. 120)
• CRL Location (p. 120)
• CRL Size (p. 121)
• Delta CRLs (p. 122)
• Indirect CRLs (p. 123)
• Chapter 9 Repository Protocols (p. 125)
• Repository Attributes (p. 126)
• Common Repository Protocols (p. 127)
• Directories (p. 127)
• The X.500 Directory (p. 128)
• Lightweight Directory Access Protocol (v2) (p. 130)
• X.500 Directory with LDAP (p. 130)
• LDAP v3 with Extensions (p. 131)
• FTP (p. 131)
• HTTP (p. 132)
• Electronic Mail (p. 132)
• Domain Name System Support (p. 133)
• Border Repositories (p. 133)
• Practical PKI Repositories (p. 134)
• Chapter 10 Building and Validating Certification Paths (p. 137)
• Certification Path Construction (p. 138)
• Simple PKI Architectures (p. 138)
• Hierarchical PKI Architectures (p. 138)
• Mesh PKI Architectures (p. 139)
• Extended Trust List Architectures (p. 140)
• Cross-Certified PKI Architectures (p. 141)
• Bridge CA Architectures (p. 142)
• Certification Path Validation (p. 144)
• Initialization (p. 145)
• Basic Certificate Checking (p. 147)
• Preparation for the Next Certificate (p. 148)
• Wrap-up (p. 150)
• CRL Validation (p. 151)
• CRL Processing (p. 152)
• Wrap-up (p. 153)
• Merging Path Construction and Validation (p. 154)
• Summary (p. 154)
• Chapter 11 PKI Management Protocols (p. 155)
• PKI Management Transactions (p. 156)
• Participants (p. 156)
• Transaction Models (p. 157)
• Management Protocol Comparison Criteria (p. 162)
• Common PKI Management Protocols (p. 163)
• PKCS #10 (p. 164)
• PKCS #10 with SSL (p. 165)
• PKCS #10 and SSL Summary (p. 166)
• PKCS #7 and PKCS #10 (p. 167)
• PKCS #7 and #10 Summary (p. 169)
• Certificate Management Protocol (CMP) (p. 170)
• CMP Summary (p. 174)
• Certificate Management using CMS (CMC) (p. 175)
• CMC Summary (p. 176)
• Simple Certificate Enrollment Protocol (SCEP) (p. 177)
• SCEP Summary (p. 178)
• Selecting PKI Management Protocols (p. 179)
• Chapter 12 Policies, Procedures, and PKI (p. 181)
• Introduction to Policy and Procedures (p. 182)
• Policy and PKI (p. 183)
• Certificate Policies and Certification Practice Statements (p. 184)
• The CP, CPS, and Policy Extensions (p. 185)
• CP and CPS Format and Contents (p. 188)
• Highlights of the RFC 2527 Format (p. 189)
• Introduction (p. 189)
• General Provisions (p. 189)
• Identification and Authentication (p. 191)
• Operational Requirements (p. 191)
• Physical, Procedural, and Personnel Security Controls (p. 192)
• Technical Security Controls (p. 193)
• Certificate and CRL Profiles (p. 194)
• Specification Administration (p. 195)
• Compliance Audits and Accreditation (p. 195)
• Advice for Policy Authors (p. 196)
• Chapter 13 PKI-Enabled Applications (p. 199)
• S/MIMEv3 (p. 200)
• Message Signature and Encryption (p. 201)
• Enhanced Security Services (p. 202)
• PKI Support (p. 204)
• Transport Layer Security (TLS) (p. 206)
• Handshake Protocol (p. 207)
• Record Protocol (p. 209)
• PKI Support (p. 210)
• IPsec (p. 211)
• Security Associations (p. 212)
• Authentication Header (AH) (p. 214)
• Encapsulating Security Payload (p. 215)
• Internet Key Exchange (IKE) (p. 217)
• PKI Support (p. 218)
• Summary (p. 218)
• Chapter 14 Defense Message System 1.0 (p. 219)
• DMS 1.0 Architecture (p. 219)
• Cryptographic Environment (p. 220)
• PKI Architecture (p. 220)
• Certificate and CRL Profiles (p. 222)
• Repositories (p. 225)
• Certificate Management (p. 225)
• Management Protocols (p. 227)
• Failure Recovery (p. 227)
• Applications (p. 228)
• Successes and Shortcomings (p. 228)
• Lessons Learned (p. 231)
• Chapter 15 California Independent Service Operator (p. 233)
• CAISO Architecture (p. 234)
• Cryptographic Environment (p. 235)
• PKI Architecture (p. 236)
• Certificate and CRL Profiles (p. 241)
• Repositories (p. 246)
• Certificate Management (p. 246)
• Management Protocols (p. 248)
• Failure Recovery (p. 249)
• Applications (p. 249)
• Successes and Shortcomings (p. 250)
• Lessons Learned (p. 252)
• Chapter 16 The Federal Bridge CA Project (p. 255)
• Federal PKI Architecture (p. 256)
• Cryptographic Environment (p. 256)
• PKI Architecture (p. 258)
• Certificate Policies (p. 260)
• Certificate and CRL Profiles (p. 262)
• Repositories (p. 264)
• Certificate Management (p. 265)
• Management Protocols (p. 265)
• Applications (p. 267)
• Successes and Shortcomings (p. 268)
• Lessons Learned (p. 269)
• Chapter 17 Future Developments (p. 271)
• Cryptography (p. 271)
• PKI Architectures (p. 274)
• Certificates (p. 274)
• Attribute Certificates (p. 274)
• Qualified Certificates (p. 277)
• Alternative Certificate Formats (p. 279)
• Certificate Status (p. 280)
• On-line Certificate Status Protocol (p. 280)
• Sliding Window Delta CRLs (p. 282)
• Repositories (p. 284)
• Certification Path Construction and Validation (p. 285)
• Certification Path Validation Testing (p. 285)
• Delegated Certification Path Construction Services (p. 286)
• Certification Path Validation Services (p. 288)
• Management Protocols (p. 289)
• Interoperability of Heterogeneous Products (p. 290)
• In-Person Authentication (p. 290)
• Private Key Recovery (p. 291)
• Centrally Generated Keys (p. 291)
• Legal and Policy (p. 292)
• E-Sign (p. 293)
• Health Insurance Portability and Accountability Act (HIPAA) (p. 293)
• Government Paperwork Elimination Act (GPEA) (p. 294)
• European Directive 1999/93/EC (p. 294)
• Applications (p. 295)
• Signed Document Formats (p. 295)
• ETSI Electronic Signature Format (p. 295)
• XML Signatures (p. 296)
• Wireless Application Protocol (WAP) (p. 296)
• PKI-Enabled Trusted Third-Party Services (p. 298)
• Timestamping Servers (p. 299)
• Conclusion (p. 299)
• Appendix A ASN.1 Primer (p. 301)
• Syntax Definition (p. 302)
• Simple Types (p. 303)
• Structured Types (p. 303)
• Implicit and Explicit Tagging (p. 304)
• Other Types (p. 304)
• Basic Encoding Rules (p. 304)
• Distinguished Encoding Rules (p. 305)
• Appendix B Object Identifiers (p. 307)
• Obtaining Private OIDs (p. 308)
• American National Standards Institute (p. 308)
• Other National Standards Bodies (p. 308)
• Internet Assigned Numbers Authority (p. 309)
• Computer Security Objects Registry (p. 309)
• Researching OIDs (p. 309)
• Bibliography (p. 311)
• Index (p. 319)

Author notes provided by Syndetics