Windows PKI: Getting closer, but not here yet

CIOL Bureau
New Update

A year ago, Giga’s assessment of the public key infrastructure (PKI) capabilities native to Windows 2000 found them to fall short of those in third-party offerings. We also suggested that companies keep in mind the uncertainties surrounding promised-improvements in the next version of Windows (then called Whistler).


Today, our overall view of the situation is approximately the same. Though the client version of Whistler (XP) has been released, the server version, now called Windows .NET, is not here yet. Microsoft still plans to include some real improvements in Windows .NET. These improvements will go a substantial way towards addressing the issues identified with the Windows 2000 PKI, and they will enhance the Windows PKI in other ways as well.

Features such as cross-certification, editable certificate templates, integrated key management and other improvements in administrative capabilities are all being built into .NET. To improve application integration, the CAPICOM DLL will be included, allowing a variety of applications to hook into CryptoAPI for cryptographic services like digital signatures and encryption. In short, Microsoft’s efforts to improve its built-in PKI are definitely more than just lip service; they represent a substantial effort. Microsoft outlines some of the enhancements in a white paper on its Web site.

The white paper details enhancements to both the Windows XP Professional client and the Windows .NET Server, and many important improvements (user auto-enrollment, for example) are listed as client

enhancements. But according to the section on dependencies at the end of the paper, implementing most of the client enhancements requires the .NET Server as well. So the question still remains when exactly will .NET be launched, and will all the promised functionality really be there in this version?

Right now, the launch date appears to be slated for the second half of this year, but launch dates have slipped before. And while .NET’s PKI capabilities will certainly represent a huge improvement, the precise feature set may not be locked in stone yet.

In short, there is still some uncertainty surrounding the Windows PKI, and the situation remains fairly similar to last year’s situation: Companies that have an immediate need for more advanced PKI features probably can’t afford to wait for .NET. Only companies that have flexibility regarding their PKI deployments can wait to see when it finally arrives and what it has to offer. The difference today is that the improved PKI is now closer, and it is getting closer all the time, so more and more companies may find that they are willing to put off their deployments.