CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Internet

Commentary: Revoked security certificates can hurt enterprises

Sun Microsystems' warning that several of its public key certificates have been compromised points to a serious problem with this widely used security technology.

By John Pescatore and Victor Wheatman, Gartner Analysts

Sun Microsystems' warning that several of its public key certificates have been compromised points to a serious problem with this widely used security technology: Enterprises are often unaware that certificates they rely on have been revoked and thus should not be trusted.

See news story:
Experts say browsers fall short on certificate alerts
The authority signing the keys--in this case, Sun--is supposed to maintain certificate revocation lists and make them available to all subscribing parties. Applications can then check to see if certificates are still valid and quickly notify security administrators of any problems.

Part of the problem is that any system that relies on manual input is inherently fallible. Software tools that speed the process are available--for example, the OnLine Status Protocol, which validates certificates in real time--but are not yet widely deployed and still require applications to initiate the check. Specialized vendors such as ValiCert and CertCo offer validation tools and services. However, as Sun's difficulties show, none of those approaches are yet commonly used.

The bottom line: Just as merchants have to check the validity of a credit card before every purchase, enterprises must confirm the validity of digital certificates on a timely and ongoing basis. Major software vendors such as Sun should provide applications that do this as integral components of their products. Until they do, they can expect continuing questions about the true strength of their security.

(For related commentary on choosing a public key infrastructure vendor, see TechRepublic.com--free registration required.)

Entire contents, Copyright © 2000 Gartner Group, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.