Commentary: PKI key to security alliance

By Vic Wheatman, Gartner Analyst

IBM's teaming with VeriSign to promote VeriSign's Internet security solutions and services may create tremors in the growing market for authentication services.

	See news story: VeriSign, IBM strike security pact

At the heart of this announcement for network-based management of entitlements is public key infrastructure (PKI)--a means of registering users and devices through the use of certificates, and of verifying their public and private cryptographic keys. These keys, in turn, are used to authenticate identity to systems and to encrypt information.

IBM has been offering its own such solutions for several years, but chose not to go into the PKI services business over liability concerns. The IBM Global Services unit also resells PKI software from others--most notably Entrust--depending on customer requirements.

Consequently, the new relationship with VeriSign for a network-based service signals IBM's strong confidence in supporting an evolving service from VeriSign, which has been developing its own strong brand of trust since its start in 1994. Moreover, by embedding standards--such as XKMS, an Extensible Markup Language-based, certificate-handling protocol being developed by VeriSign-led standards-making efforts--the need for cryptographic tool kits to integrate PKI with applications can be averted.

Although IBM is selling other software providers' PKI solutions, its extension into services in partnership with VeriSign will competitively affect the other providers, which have partnered with firms such as PricewaterhouseCoopers, Electronic Data Systems and others in offering their PKI solutions.

Gartner recommends that enterprises, in evaluating these entitlements services, first determine the applications that will benefit from them. Next, enterprises should assess whether it's suitable for them to outsource such a function. However, if enterprises decide that their applications are too strategically important or that their applications' features are too critical or complex, then they should carefully weigh the merits of running such a system themselves.

(For a related commentary on VeriSign's recent activities, see gartner.com.)

Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.