Understanding Pki: Concepts, Standards, and Deployment Considerations

This is an excellent summary and overview of a difficult topic. It simplifies and explains without removing important detail or obscuring unsolved problems. It's an excellent book for technical people new to PKI, or for manager/business types who need a deeper understanding of the technology. I bought extra copies to hand out at work to people who needed to know this stuff.

Pundits, the press, and other elements of the cognoscenti invariably attempt to make every year "the year of" something. For whatever else 2000 might be the year of, many technology periodicals have proclaimed it the year of public key infrastructure, or PKI. Didn't know that? Many people don't even understand the term, which is neither descriptive nor intuitive.In the physical world, trust is built through a complex web of social, legal, national, international, and business transactions that can take years or decades to develop. Items such as driver's licenses or passports create trust, because they are underwritten by the issuing authority. Unfortunately, the same level of trust is much harder to implement in the electronic world. One way to do so is via PKI. As an example, one can use a passport for identification in the physical world. The cyberspace equivalent could be a digital certificate for authentication. Similarly, ink-based signatures are used on binding contracts. In the digital world, digital signatures are used to ensure a concept called nonrepudiation, by which the party involved in a process cannot later deny that he or she took part in it. Understanding Public-Key Infrastructure is a guide to the effective deployment of PKI. The authors do a great job of covering the critical areas of PKI, including certification, operational considerations, standardization efforts, and deployment issues. The authors deserve credit for producing a guide that avoids getting bogged down in minutiae and other technical details. Their approach is to cover a topic at a broad level, delve into some detail, then refer the reader to an appropriate source for particulars. They are also obsessively vendor-neutral. This is an important book for those who expect to do e-commerce. Because whether anyone realizes it or not, this is the year of the PKI.This review of mine originally appears at http://www.securitymanagement.com/library/000859.html

I'm giving courses on PKI. I was looking for a good reference for my students. Finally found one! I read it cover to cover: comprehensive, very easy to read, vendor-neutral (very important to me), not biaised: also gives you the pros and cons, issues with PKI. A must to read if interested in PKI.

"Understanding Public-Key Infrastructure" is well written and is a terrific book. It is the most complete and succinct book available on the subject of PKI. Other books deal with various detailed aspects of Public-Key Infrastructure, but this particular book is the best available in forming a clear overall perspective of the subject area. A great book for managers or technical readers which are looking for good, solid information but which don't want excessive details. I enjoyed the book, and feel the authors did an excellent job in describing the subject of PKI. The approach taken in this book is useful, not hyped. The coverage is broad and extensive but not encumbered by inordinate detail about algorithms and protocols. Explanations are clear and concise. I am pleased to recommend the book to anyone looking for a very good, succinct but thorough treatment of the subject area.

I gave this five stars for the breadth of coverage. I don't need yet another book on cryptography -- I already have a shelf full. Carlisle and Steve cover the PKI turf without getting unnecessarily bogged down in technical details. For example, they cover the functions and differences of ECDSA versus ECDH in about a paragraph. If you want to know how the algorithms work, read Applied Cryptography. This has a clear, concise, and non-technical explanation of just about every concept, standard, and issue a project manager would need to know about PKI. I give credit for not trying to cover the technical issues in depth -- rather, this takes the approach of: here's the issue, here are the alternatives, and if you want to know more read ...The concepts and issues are very current, and cover proposed and draft standards, including Privilege Management Infrastructure, certificate revocation mechanisms, trust models, etc. Excellent coverage!