Thursday, May 1, 2008

PKI Legerdemain

Legerdemain is French and literally means "lightness of hands". In English we usually translate it as 'sleight of hand' and it speaks to the actions of a magician when he makes that coin appear from behind our ear, or magically picks the one card out of 52 that we'd glibely selected from the pack.

The subject of PKI and MDM comes up a lot. Customers approach it with trepidation - and who can blame them, since we're talking about something that was designed by committee?

I'm very much a proponent of MS PKI, but I can say that because I've been in places and positions most people haven't. I've worked with brilliant PKI people who were only too happy to share their knowledge with me. In my former life as a Security Conslutant with Moldevort, Incorporated [1,2], I got to design and implement enterprise-wide PKI's and have seen how well they can work. But I'm the exception and not the rule.

The subject of this post refers to legerdemain because MS has done a very clever act of legerdemain; in bundling their PKI offering into the base server license it makes it almost look like you're getting a free lunch, but as we all know there's no such thing.

That not withstanding, products like OCS and now MDM rely very heavily on this technology - the subtle but important difference between the two is that MS backed off on pushing the MS PKI route for OCS and you can very easily implement OCS using a 3rd party offering. Not so MDM - sure, there's a compromise solution in place in that by design it (the MS PKI) functions wonderfully as a subordinate of an existing Public Key Infrastructure, but the reality is that for MDM to work you must have a Microsoft Enterprise Certificate Authority in place or it won't work, period (or 'full stop').

So, now we have MDM wrapped up into the PKI bundle. It must use the MS PKI for reasons I'll go into in my Tech Ed session in June, but what does this really mean? Just how difficult is it to implement PKI in the enterprise? Is it really that difficult? Or does paranoia abound?

Questions, questions, questions...

I'm going to give this some thought, do some research, and post a series out here on my spin on how to approach it.

The beauty of not working for Microsoft and not posting stuff like this on the Enterprise Mobile blog is that anything that may prove to be crap comes down on my head alone and doesn't reflect on anyone else. I'm cool with that. There's a reason why I found a pair of asbestos y-fronts under the tree this past Christmas .

Stay tuned.

[1] Otherwise known as 'they who shall not be named'
[2] The Spoonerism was unintentional but works quite well, I think.

No comments: