Microsoft Aims To Make Windows PKI, RMS Certificates Interoperable

Both features are key for security and B2B e-commerce, particularly as Microsoft works to integrate better extranet and cross-company authentication features in a Windows Server update due out in 2005. But there's a snag: The digital certificate systems of PKI and RMS don't speak the same language. The PKI infrastructure in Windows Server 2003, for example, generates x509 certificates while the newer RMS add-on uses certificates based on xRML 1.2.1.

To solve that dilemma, Microsoft plans to make the certificate issuance systems of PKI and RMS interoperate, according to the company's monthly security briefing on Tuesday.

"Today, RMS is based on another [certificate authority] than PKI, and that's because it's based on an xRML license and certificate other than x.509. Today, they're a separate infrastructure," said David Cross, lead program manager for PKI at Microsoft. "We understand customer concerns, and the major direction in the future is to provide more integration and common management between the two infrastructures to simplify deployment."

Michael Cherry, an analyst for Directions on Microsoft, an industry newsletter in Kirkland, Wash., said he doesn't know of many customers using PKI or RMS but is trying to assess the impact of having two certificates.

"For whatever reason, the team building Windows Rights Management [Services] didn't use PKI in Windows," Cherry said. "I'm trying to research how much effort is there in maintaining PKI once installed and how much is duplicated if you are running Windows PKI and then have to run a second PKI for Windows Rights Management.

Microsoft has worked steadily to improve the PKI features of the Windows operating system and make them more accessible, Cross added. The Windows Server 2003 PKI facilities, for instance, allow customers to use public keys to securely exchange information across the Internet, extranets, intranets and applications. And in Windows XP, Microsoft integrated a user certificate auto-enrollment capability that lets administrators easily add and remove digital certificates to end users from within Active Directory.

"Certificates make it easy to distribute keys and share those keys in a meaningful way to end users. If they try to use the keys, it's hard for users to understand," Cross said of digital signatures. "The nice thing about PKI is that I don't have to share the information with everyone. People can encrypt the information and not expose key information."

Meanwhile, the RMS add-on for Windows Server 2003, first released last November, gives companies a way to secure, assign access rights to and stamp expiration dates on Office 2003 documents, including Word, Excel, PowerPoint and Outlook. And last week, Microsoft touted major plans to bring RMS to the forefront by embedding it--along with complementary extranet features--into the Windows Server update in 2005.

Other industry observers say Microsoft aims to abandon exclusive control of the separate certificate-issuance rights for RMS and hand over those keys to third-party ISVs such as VeriSign and RSA, which also will aid in making systems more interoperable. In addition, Microsoft is expected to offer support for customers to set up a certificate authority (CA) in-house.

As Microsoft integrates better certificate interoperability and extranet facilities into Windows for secure B2B transactions, it also is pushing existing features and support for mixed systems. For example, Windows XP and Windows Server customers can now employ Active Directory and PKI for controlling access to data, leverage the Windows encrypted file system for securing data on hard disk, and use the RMS add-on for securing data in Office documents, said Mike Nash, corporate vice president of the Security Business and Technology Unit at Microsoft.

"You can deploy PKI to applications and have secure mail, secure Web services and secure Web commerce," said Nash, who emphasized the authentication, authorization and access management theme during his security Webcast this week, noting that it can tighten up access to Windows systems while granting robust rights to partners and suppliers.

Microsoft executives also pointed out that the PKI infrastructure currently supports Unix, Linux and other clients and that the Microsoft Identity Integration Server (MIIS) Enterprise Edition supports multiple directories, enabling those using Sun Microsystems, Novell and other directories to participate in Windows transactions.