An Introduction to Entrust PKI. Last updated: September 14, 2004

An Introduction to Entrust PKI Last updated: September 14, 2004

2004 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All Entrust product names are trademarks of Entrust, Inc. or Entrust Limited. All other company and product names are trademarks or registered trademarks of their respective owners. The material provided in this document is for information purposes only. It is not intended to be advice. You should not act or abstain from acting based upon the information in this document without first consulting with a professional. ENTRUST DOES NOT WARRANT THE QUALITY, ACCURACY OR COMPLETENESS OF THE INFORMATION CONTAINED IN THIS ARTICLE. SUCH INFORMATION IS PROVIDED "AS IS" WITHOUT ANY REPRESENTATIONS, WARRANTIES AND/OR CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, BY USAGE OF TRADE, OR OTHERWISE, AND ENTRUST SPECIFICALLY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, TITLE, NON-INFRINGEMENT, OR FITNESS FOR A SPECIFIC PURPOSE. This information is subject to change as Entrust reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant. Export and/or import of cryptographic products may be restricted by various regulations in various countries. Licenses may be required.

Contents Contents..................................................... 1 Welcome.................................................... 3 What can Entrust PKI do for me?................................ 4 What is a PKI?............................................... 5 Security through cryptography............................. 5 Digital Certificates...................................... 11 Certification Authority................................... 12 Public-key infrastructure................................. 13 What is Entrust PKI?......................................... 17 Entrust Authority Security Manager....................... 18 Entrust Authority Security Manager Control................. 18 Entrust Authority Security Manager Administration........... 18 Entrust Authority Security Manager database................ 19 Entrust Ready Directory.................................. 19 Entrust Solutions............................................ 20 Entrust Secure Identity Management Solution................. 21 Entrust Secure Data Solution.............................. 22 Entrust Secure Messaging Solution......................... 22 Entrust Products............................................ 24 Entrust Entelligence................................... 24 Entrust Authority..................................... 25 Entrust Secure Transaction Platform......................... 29 Entrust GetAccess.................................... 29 Entrust TruePass...................................... 30 Third-Party Products.................................... 30 Managing Entrust PKI........................................ 31 Master User........................................... 32 Security Officer........................................ 32 Administrator.......................................... 33 Directory Administrator.................................. 33 Auditor.............................................. 34 End User............................................. 34 1

Deployment issues and considerations............................ 35 Project initiation and planning............................. 36 Requirements analysis and design.......................... 36 Development and testing................................. 36 Installation, integration, and testing......................... 37 Deployment........................................... 37 Operations and maintenance.............................. 37 Other information...................................... 38 Where to get assistance....................................... 39 Have comments/suggestions/questions?..................... 39 Telephone, e-mail, and online support....................... 39 Training and certification................................. 41 Advising on PKIs....................................... 42 Services.............................................. 43 Further information on PKI................................ 43 Index....................................................... 45 2 CONTENTS

Welcome This document provides an overview of Entrust PKI. You should read this document if you want an introduction to public-key infrastructure and a quick overview of Entrust s products and services. This document is suitable for new PKI administrators, or anyone within your organization who wants to learn more about PKI and its operation. Topics in this document include: What can Entrust PKI do for me? on page 4 What is a PKI? on page 5 What is Entrust PKI? on page 17 Entrust Solutions on page 20 Entrust Products on page 24 Managing Entrust PKI on page 31 Deployment issues and considerations on page 35 Where to get assistance on page 39 Additional Information If you require more detailed information on public-key infrastructures and Entrust products and services after reading this document, refer to our Web site, located at: http://www.entrust.com/ 3

What can Entrust PKI do for me? Entrust software can secure digital identities and information, allowing you to place trust in all forms of electronic transactions. Trust can be gained through user authentication, digital signatures, and the protection of confidential information. While every organization has security needs, not all organizations needs will be the same. Possible security needs include: personal document security e-mail security document/e-mail origin and time verification secure software and hardware transmission simple and transparent function on the network In addition to providing these services for their users, an organization s planners and administrators may have security requirements such as: security policy management roaming user support user-based self-registration and administration secure communications and transactions over a network controlled resource access for employees, customers, or partners secure remote access using Virtual Private Networks (VPN s) secure access to enterprise resource planning (ERP) software secure wireless device communication cryptographic hardware device security enforcement customized security solutions using software toolkits The solution that can address all of these security needs? A PKI. 4 ENTRUST PKI AND YOU

What is a PKI? PKI stands for public-key infrastructure. By using a PKI as the basis for all its security solutions, Entrust software can enable secure digital identities and transactions. To understand how a PKI provides security, you must first understand three underlying concepts: security through cryptography, digital certificates, and the Certification Authority. Security through cryptography To keep data secure, and provide a user with a digital signature, each user has a number of different keys. The keys that keep data secure are the encryption key pair, used in conjunction with symmetric keys. The keys that provide a digital signature are known as the signing key pair. Data security using the encryption key pair and symmetric keys The encryption key pair, used in conjunction with symmetric keys, keeps data secure. The encryption key pair consists of: a public key - used only for locking (encrypting) data, known as the encryption public key a private key - used only for unlocking (decrypting) data, known as the decryption private key Encrypting and decrypting data through the use of a public-private encryption key pair is known as asymmetric cryptography, or as it is more popularly known, public-key cryptography. Encryption public key Anyone has access to it. Used for encrypting data. Decryption private key Only its owner has access to it. Used for decrypting data. 5

The additional keys used for data security are known as symmetric keys. A symmetric key is like a physical key people use in their daily lives, in which the key is used to both lock and unlock items. Symmetric keys are used for both encrypting and decrypting data. This process is known as symmetric cryptography. The primary benefit of symmetric encryption is speed. Because of this, symmetric algorithms are especially suited to encrypting and decrypting large amounts of data. Symmetric key Used for both encrypting and decrypting data. The process of using both symmetric-key and public-key cryptography to secure data involves the following steps: 1 The sender locks the data (encrypts it) with a symmetric algorithm, and a one-time symmetric key, generated randomly for this step. Normal data In its normal state the data is readable. Encrypted data In its encrypted state the data is unreadable. 6 ENTRUST PKI AND YOU

2 The sender then encrypts the symmetric key with the recipient s encryption public key. Symmetric key In its unencrypted state the symmetric key can be used to decrypt any data it has previously encrypted. Encrypted symmetric key In its encrypted state the symmetric key is unusable. 3 The sender then forwards both the encrypted data and the encrypted symmetric key to its intended recipient. 4 The recipient first unlocks the symmetric key (decrypts it) with their decryption private key, after receiving the encrypted data and the encrypted symmetric key. Encrypted symmetric key Included with the data received by the recipient. Decrypted symmetric key Symmetric key is usable again, after being unlocked by the recipient using their decryption private key. Note: Remember that since the sender locked the symmetric key using the recipient s encryption public key, only the recipient s decryption private key is capable of unlocking it. 7

5 With the symmetric key usable again, the recipient uses it to decrypt the data. Encrypted data Received by the recipient. Decrypted data Data is readable again, after being unlocked by the recipient using the symmetric key. Digital signatures using the digital signature key pair The digital signature key pair provides a user with a way to generate a digital signature. A digital signature allows a recipient to verify the user id of the person who signed the data, and determine if the data has been changed or altered from the time that it was signed. The digital signature key pair is composed of a signing key (known as the signing private key) and a verification key (known as the verification public key). Signing private key Privately held by its owner to sign data. No other users have access to it. Verification public key A non-secret key used to verify a signature. It proves that the signature was signed by its matching signing private key. 8 ENTRUST PKI AND YOU

To affix a digital signature, a sender follows these steps: 1 The sender starts the process by taking a mathematical summary, called a hash code, of the data. This hash code is a uniquely identifying digital fingerprint of the data. If even a single bit of the data changes, the hash code will change. Normal data Hash function applied to data Hash code 2 The sender then encrypts the hash code with their signing private key. Hash code Signed hash code 3 The sender then forwards the data and the encrypted hash code (the signature) to the intended recipient. How can the encrypted hash code be considered a signature? The encrypted hash code is an item that only the sender, using their signing private key, could have produced. The next series of steps describes verification of the signature and confirmation that the data has not been altered since it was signed. 9

1 Upon receipt of the data and the encrypted hash code, the recipient has to verify that the hash code was encrypted by the sender. This is done by decrypting the hash code using the sender s verification public key. Signed hash code Hash code 2 At the same time, a new hash code is created from the received data. Hash function applied to data Received data New hash code 3 The new hash code and the decrypted hash code are compared. If the hash codes match, the recipient has verified that the data has not been altered. New hash code and original signed hash code are compared. Matching hash codes How do matching hash codes indicate that the data was not altered since the signature was created? 10 ENTRUST PKI AND YOU

The hash function that produced the hash codes is extremely sensitive to changes in data. If the data had been altered in any way, the new hash code it produced would not have been identical to the original hash code. Matching hash codes indicate that the data is in the same state that it was in when it produced the original hash code thus proving that no alteration of data has taken place. Note: Remember that a digital signature guards data against modification, but it does not prevent unauthorized eyes from viewing the data. To protect data against unauthorized access, you must also encrypt the data. Digital Certificates Using public and private keys to encrypt and sign data raises an important security-related question: how can you be sure that the public key you are using belongs to the right person? The solution: associate the public key and its user with a digital certificate. Certificate A digital certificate is an object that contains (among other items) information, in an industry-standard format, detailing the person s identity a public key, associated exclusively with the person 11

Certification Authority A digital certificate associates a public key with an individual user. But how do you know that the information in the certificate is valid? How do you know that the correct public key has been associated with its rightful user? The solution: have the information in all certificates verified by a Certification Authority. Certification Authority A Certification Authority is a trusted entity whose central responsibility is the authentication of users. In essence, the function of a Certification Authority is analogous to that of the passport issuing office in the Government. A passport is a citizen's secure document (a paper identity ), issued by an appropriate authority, certifying that the citizen is who he or she claims to be. Any other country trusting the authority of that country's Government passport office will trust the citizen's passport. This is an example of third-party trust. Similar to a passport, a user's certificate is issued and signed by a Certification Authority acting as proof that the correct public key is associated with that 12 ENTRUST PKI AND YOU

particular user. Therefore, through third-party trust, anyone trusting the Certification Authority can also trust the user s key. Certification Authority Signs certificates Bob s encryption certificate and verification certificate Publicly available Alice s encryption certificate and verification certificate Publicly available Bob s decryption private key and signing private key Privately held Alice s decryption private key and signing private key Privately held If Bob or Alice trust the Certification Authority, they can be sure that the certificates signed by it are associated with their rightful owners. With this trust established, encryption can take place, with the sender knowing that only the intended recipient will be able to decrypt the data. Verification can take place, with the recipient knowing that only the signer could have signed the data. To organize public-key cryptography, digital certificates, and a Certification Authority in a manner that can provide a more manageable, flexible, and reliable form of security, you use a security management system known as a public-key infrastructure. Public-key infrastructure A public-key infrastructure (PKI) is a framework that provides security services to an organization using public-key cryptography. These services are: implemented across a networked environment used in conjunction with client-side software customized by the organization implementing them 13

An added bonus provided by a PKI system is that all security services are provided transparently users do not need to know about public keys, private keys, digital certificates, or Certification Authorities in order to take advantage of the services provided by a PKI. In addition to providing integrity of digitally signed data and protection of encrypted data, a fully functional PKI must provide a number of core services. These are outlined in Figure 1. Figure 1: Services implemented by a public-key infrastructure Enabling trust (and managing services) through a Certification Authority Certificate retrieval from a certificate repository Establishing trust with other PKIs Certificate revocation Non-repudiation of digitally signed data Key backup, history, and recovery Automatic update of key pairs and certificates All the above services are supported by client software, which enables users to participate in a consistent, and transparent PKI. The following sections discuss the core services of a PKI. 14 ENTRUST PKI AND YOU

Enabling trust through a Certification Authority The Certification Authority manages the PKI and enables trust among its users. It enables this trust by certifying that the association between a user and their key pairs is valid. Certificate retrieval from a certificate repository The PKI s users must be able to locate public keys contained within certificates in order to secure information for other users. They can do this by going to a publicly accessible storage area where certificates can be found, known as a certificate repository. Certificate revocation The PKI s users must be able to verify whether a certificate is still trustworthy at the time of use. If a certificate is no longer trustworthy, it must be revoked by the Certification Authority. The certificate revocation mechanisms are designed to publish information about certificates revoked by the Certification Authority in a publicly available list (known as a certificate revocation list, or CRL). If a user attempts to use a revoked certificate, they will be informed that use of the certificate is no longer considered secure. Key backup and recovery The PKI s users must be sure that they will be able to view data that was encrypted for them, even in cases where they may lose their profiles or forget their passwords. To protect users access to this data, PKIs back up all users keys, and return them to the user when required. The latter operation is called key recovery. Automatic update of key pairs and certificates To maintain a high level of security, most keys and certificates must have a finite lifetime. To spare the user the annoyance of having to manually update this information when their keys and certificates expire, a PKI can perform this task automatically. Automatic updating keeps things simple for the user, as keys are generated and replaced automatically before they are due to expire. At the same time, security is increased through finite key lifetimes. Note: One key that should never expire is the decryption private key. This key may be needed in the future to access old encrypted data. 15

Establishing trust with other PKIs Sometimes users in a PKI community must exchange sensitive communications with users in other PKI communities. For example, two trading partners, each with their own Certification Authority, may want to validate certificates issued by the other partner s Certification Authority. Two ways of creating extended third-party trust among users of different PKIs include: Peer-to-peer trust trust is created through two or more Certification Authorities securely exchanging their verification public keys, which are used to verify each Certification Authority s signature on certificates. By signing each other s verification public key, each Certification Authority creates a certificate for the other Certification Authority thus allowing their users to trust the other Certification Authority. This creates a peer-to-peer level of trust among the various cross-certified Certification Authorities. Hierarchical trust trust is created through establishing a root of trust among Certification Authorities. Hierarchical trust of Certification Authorities (also known as a strict hierarchy) is a way of arranging two or more Certification Authorities in a restrictive trust relationship. A Certification Authority that s in a hierarchy has its Certification Authority certificate signed by its direct superior. A superior may be the root of a hierarchy, or some level of subordinate beneath the root. The pattern of superiors signing their subordinates certificates eventually converges at the root, which signs its own Certification Authority certificate. Each subordinate is at the end of a certificate chain that begins with the root s certificate. In effect, all Certification Authorities and users in a hierarchy can trust each other, because they all share a trust anchor (at the root of the hierarchy). Non-repudiation of digitally signed data Non-repudiation means that an individual cannot successfully deny involvement in a legitimately signed transaction. To achieve this within a PKI, the key used to create digital signatures (the signing private key) must be generated and securely stored in a manner under the sole control of the user at all times. Since the signing private key is never backed up, or made available to anyone but the user, it is almost impossible for a user to repudiate data that contains their digital signature. Client software Client software is used to support all of the elements of a PKI discussed above. Running from the user s desktop, client software makes trust decisions (for example, whether to use a particular encryption public key contained within a particular certificate to encrypt data) based on signed information that is provided by the PKI. Client software provides security services consistently and transparently across applications on the desktop. 16 ENTRUST PKI AND YOU

What is Entrust PKI? Entrust PKI is a public-key infrastructure containing all the features outlined in the section above and more. There is no one, single application called Entrust PKI rather, Entrust PKI is a collection of applications that work together to make up a PKI. The core components of Entrust PKI are: Entrust Authority Security Manager Entrust Authority Security Manager Control Entrust Authority Security Manager Administration Entrust Authority Security Manager database Entrust Ready Directory Figure 2 provides an overview of the relationships among these core components of Entrust PKI. Figure 2: Entrust PKI core components and their relationships Entrust Authority Security Manager Sends trusted certificates to the Directory. Stores data in the database. Enforces security policies across Entrust PKI. Entrust Authority Security Manager database Stores all data used in Entrust PKI. The Directory Makes certificate information available to the users of Entrust PKI. Entrust Authority Security Manager Control Used by highly trusted administrators to configure Entrust Authority Security Manager. Entrust Authority Security Manager Administration Used to administer users and send user information to Security Manager. Entrust Ready applications The following sections discuss the core components of Entrust PKI. 17

Entrust Authority Security Manager In Entrust PKI, the role of Certification Authority is held by Entrust Authority Security Manager. The Security Manager can be thought of as the engine of Entrust PKI. The main functions of the Security Manager are to: create certificates for all public keys maintain a secure database of Entrust PKI information that can allow the recovery of users key pairs (in case a user forgets their password, for example) enforce the security policies defined by your organization Access to Entrust Authority Security Manager is provided through Entrust Authority Security Manager Control and Entrust Authority Security Manager Administration. Entrust Authority Security Manager Control Entrust Authority Security Manager Control is a local interface with direct access into the Security Manager. It provides access to the Security Manager for only the most highly trusted administrators (for information on users who administer Entrust PKI, see Managing Entrust PKI on page 31). Running in either command-line or GUI form, the Security Manager Control is used for tasks that include: starting and stopping the Security Manager service recovering profiles for Security Officers (for information on Security Officers, see Security Officer on page 32) managing the Entrust Authority Security Manager database Entrust Authority Security Manager Administration Entrust Authority Security Manager Administration is the administrative component of Entrust PKI. Security Manager Administration uses a graphical interface and communicates securely with the Security Manager. Security Manager Administration is used for administrative tasks that include: adding users managing users and their certificates managing security policies cross-certifying with other Certification Authorities setting up hierarchies of Certification Authorities 18 ENTRUST PKI AND YOU

Entrust Authority Security Manager database The Entrust Authority Security Manager database is under the control of Entrust Authority Security Manager and acts as a secure storage area for all information related to Entrust PKI. In this database the Security Manager stores: the Certification Authority signing key pair (this key pair may be created and stored on a separate hardware device rather than the database) user status information key and certificate information for each user Security Officer and Administrator information security and user policy information certificate revocation information Note: All information stored in the Entrust Authority Security Manager database is protected against tampering, with all sensitive information being encrypted. Entrust Authority Security Manager provides enhanced database security with the addition of hardware-based database protection. Hardware-based database protection works by storing a database key on a secured hardware device. Entrust Ready Directory The majority of user requests for information involve retrieving other users' certificates. To make this information publicly available, Entrust PKI uses a public repository known as an Entrust Ready Directory. The Directory must also be Lightweight Directory Access protocol (LDAP) compatible. Information that is made public through the Directory includes: user certificates lists of revoked certificates client policy information Note: For information requests and network traffic across Entrust PKI, the Directory is the most frequently accessed component. 19

Entrust Solutions The following Entrust Solutions can be combined with the core components of Entrust PKI: Entrust Secure Identity Management Solution Entrust Secure Messaging Solution Entrust Secure Data Solution By securing digital identities and information, Entrust solutions can help to improve compliance with regulatory demands for stronger internal controls and information privacy, such as Sarbanes-Oxley, the California Data Protection Act, and the Health Insurance Portability and Accountability Act (HIPAA). Figure 3 shows the relationships of each solution to an overall security plan. Figure 3: Entrust Solutions Relationships Each of these solutions carries a portfolio of products that can: add increased functionality to Entrust PKI provide a greater degree of customization add to the number of security services available 20 ENTRUST PKI AND YOU

These product portfolios can function across desktop, mobile, e-mail, web and VPN network platforms, with complementary applications and devices. Toolkits allow administrators access to PKI management tools, and can help build applications that satisfy the Entrust Ready program requirements. The following sections cover each solution and its product portfolios. For descriptions of Entrust products used within each solution, see Entrust Products on page 24. Entrust Secure Identity Management Solution The Entrust Secure Identity Management Solution manages identities and security for users, applications, and devices that connect to the network. The Secure Identity Management Solution achieves this through: automated identity provisioning workflow and audit capabilities user authentication to applications environment policy-based authorization single sign-on (SSO) access control The Entrust Secure Identity Management Solution portfolio is made up of the following products, services, and devices: Entrust Authority Security Manager Entrust Entelligence Desktop Manager Entrust TruePass Entrust Secure Transaction Platform Entrust GetAccess Entrust Certificate Services Entrust USB tokens Sun Identity Manager Passlogix v-go 21

Entrust Secure Data Solution The Entrust Secure Data Solution provides security for sensitive data, without changing user processes within the workplace. This is accomplished through: encryption - protects data from end-to-end authentication - strongly identifies the users, devices or applications attempting to access data policy-based access control - manages user access rights to data and applications based on corporate policy digital signatures - validates data integrity within transactions and authenticates the parties involved in the transaction The Entrust Secure Data Solution portfolio is made up of the following Entrust products: Entrust Entelligence Desktop Manager Entrust Entelligence Security Provider Entrust Entelligence Verification Plug-In for Adobe Entrust Entelligence File Plug-In Entrust Entelligence Disk Security Entrust Entelligence Media Security Entrust Entelligence Mobile Security Entrust GetAccess Entrust TruePass Entrust Authority Security Manager Entrust Authority Toolkits Entrust Secure Transaction Platform Entrust Secure Messaging Solution The Entrust Secure Messaging Solution provides e-mail security for both external and internal users. This security works across different platforms, including Microsoft Outlook and Lotus Notes. Security is provided through: authentication - strongly identifies the users, devices or applications attempting to access data encryption - enables end-to-end encyption of messages and attachments from transit to storage on the desktop or server digital signature - confirms integrity of e-mail and provides an audit trail for transactions 22 ENTRUST PKI AND YOU

The Secure Messaging Solution also provides security for wireless messaging, using S/MIME protocols. This allows users to securely access their e-mail from both their wireless devices - such as a Research in Motion (RIM) Blackberry handheld - and desktops, using the same digital ID. The Entrust Secure Messaging Solution is made up of the following Entrust Products: Entrust Entelligence Desktop Manager Entrust Entelligence E-Mail Plug-In Entrust Entelligence Security Provider Entrust Entelligence Messaging Server Entrust Entelligence WebMail Center Entrust Entelligence Messaging Server for Lotus Notes Entrust Authority Security Manager Entrust Authority Self Admin Server Entrust Authority Roaming Server To learn more about Entrust Solutions, visit http://www.entrust.com/solutions/ 23

Entrust Products Entrust has several product portfolios that function within these solutions. These products enable secure identity and access management through authentication, authorization, digital signatures, and encryption. Entrust Entelligence The Entrust Entelligence product portfolio is a suite of security products that can provide a single security layer across multiple enterprise applications. They enable authentication, authorization, digital signatures, and encryption for greater accountability and privacy. The Entrust Entelligence portfolio consists of: Desktop Manager The Desktop Manager administers digital IDs for users on a single security layer client application. Security Provider The Security Provider allows enhanced security for the Microsoft Windows environment. E-Mail Plug-In The E-mail Plug-In enables users to digitally sign and encrypt messages with applications such as Microsoft Outlook, without changing the way the users are accustomed to working. File Plug-In The File Plug-In provides security for files and folders stored and used on Microsoft Windows applications. Web Plug-In The Web Plug-In enables authentication and encryption for secure web communications. Verification Plug-In for Adobe The Verification Plug-In for Adobe enables users to digitally sign and encrypt.pdf documents. 24 ENTRUST PKI AND YOU

Messaging Server The Messaging Server enables secure communication for external partners via a server-based security gateway. WebMail Center The WebMail Center enables external partners who do not have certificates or S/MIME capabilities to communicate securely with users in an organization. Disk Security Disk Security provides comprehensive laptop and desktop security capabilities designed to automatically protect the entire contents of a hard disk from unauthorized access. Media Security Media Security is a PC-based file/folder and media protection application that provides security capabilities - including strong user authentication, authorization and data encryption - that can be used to protect individual files selected by the user. Mobile Security Mobile Security is a comprehensive mobile data protection solution that provides security capabilities - including strong user authentication, authorization and data encryption - that can be used to protect applications and confidential data stored on devices such as PDAs and smartphones. Entrust Authority The Entrust Authority product portfolio manages the full lifecycle of certificate-based digital identities. Entrust Authority enables encryption, digital signature and authentication capabilities that can be applied transparently across applications and platforms. The Entrust Authority portfolio consists of: Security Manager The Security Manager manages and stores the digital keys and certificates that are required within the organization. This includes the Certification Authority private key, certificates for users and devices, and Certificate Revocation Lists (CRLs). The Security Manager software enables the use of digital signatures, digital receipt, encryption, permissions management, and performs event logging and reporting for audit trails. 25

Security Manager Administration Security Manager Administration is the graphical interface that provides a secure communication channel between remote workstations and the Security Manager for administration functions. Security Manager Adminstration can be used for day-to-day administration of users, as well as policy management by trusted officers. Administration Services Administration Services is a Web-based application that is an alternative to Security Manager Administration. Administration Services communicates with Security Manager using XML Access Protocol (XAP), and provides end-to-end security by enforcing all administrative transactions to be digitally signed. It also can provide a queued approval and authorization process. Self-Administration Server The Self-Administration Server provides users with Web-based self-registration and recovery capabilities for digital identities. The Self-Administration Server web pages can be customized to reflect specific corporate branding, in order to be seamless and simple for users. Roaming Server The Roaming Server allows users to login and have secure access to data from a computer connected to a network or the Internet, without having to carry their digital IDs. Security Manager Proxy The Security Manager Proxy uses standard Internet protocols (such as HTTP and HTTPS) to communicate with Entrust Authority Security Manager over an Internet connection. This can be done from a central location, without having to make changes to the existing firewall and security settings. Timestamp Server A timestamp shows when a transaction occured, by way of an electronic date. This can provide tracking and auditing capabilities to organizations, and creates an environment of non-repudiation. The Timestamp Server acts as a trusted third-party by issuing timestamps to servers and client-side applications, working in conjunction with digital signature and encryption services. 26 ENTRUST PKI AND YOU

Enrollment Server for SmartCards The Enrollment Server for SmartCards uses XML-based protocols and is designed to work with Entrust Authority Security Manager to issue digital certificates for third-party Card Management Systems (CMS). Other capabilities include support for PDAs, Smart phones, and web tablets. Enrollment Server for Web The Enrollment Server for Web is designed to work with Entrust Authority Security Manager to issue digital certificates to web servers and browsers. Enrollment Server for VPN The Enrollment Server for VPN is designed to work with Entrust Authority Security Manager to issue digital certificates to VPN gateways, remote access clients, and network devices such as routers. Entrust Mobile ID Server The Entrust Mobile ID Server can be used in place of hardware security tokens to add two-factor authentication to online applications. 27

Entrust Authority Toolkits Entrust Authority also includes a suite of toolkits. These Toolkits provide security functionality that developers can license for use in their applications. This enables rapid deployment without the need to spend valuable time developing their services in-house. The toolkit suite consists of: Administration Toolkit for C The Administration Toolkit for C provides easy-to-use application programming interfaces (APIs) to develop customized registration and administration processes for Entrust Authority Security Manager software. IPSec Toolkit for C The IPSec Toolkit for C delivers APIs for Internet Key Exchange (IKE) protocol, together with the security, scalability, and automated administration provided by Entrust Authority Security Manager. GSS-API Toolkit for C The GSS-API Toolkit for C delivers standards-based GSS-API specifications for development of real-time connectivity applications. Security Toolkit for Java The Security Toolkit for Java provides APIs for building SSL, PKIX, PKCS and Entrust Ready security applications. Developers can enable Web sites to identify users that are using digital certificates, provide permanent digitally signed records of transactions, and protect data on Web application servers. PKCS#7 Toolkit for C/C++ The PKCS#7 Toolkit for C/C++ delivers high-level APIs that allow developers to rapidly create S/MIME and Privacy Enhanced Mail (PEM) applications. 28 ENTRUST PKI AND YOU

Entrust Secure Transaction Platform The Entrust Secure Transaction Platform is a set of Foundation Security Services that enable secure transactions. These services provide authentication, authorization, digital signatures, and encryption for transactions. These services are provided through Web services interfaces. The Entrust Secure Transaction Platform portfolio consists of: Identification and Entitlements Server The Identification and Entitlements Server, which uses Entrust GetAccess, enables organizations to centrally control which identities are trusted for automated Web services transactions and confirms that the entity trying to access a Web service (and other types of resources) has the right to do so. Verification Server The Verification Server delivers integrity and accountability for Web services transactions through centralized digital signatures and timestamping. Entrust GetAccess Entrust GetAccess software centrally manages access to multiple applications through a single portal. This provides users with single sign-on to applications and content they are authorized to see. The Entrust GetAccess software can verify who you are doing business with through your online enterprise portal and provide authorization to personalized information, based on user identities. Additional components in the Entrust GetAccess portfolio include: Mobile Server The Mobile Server provides secure web portal services to mobile and wireless users, such as enhanced identification, fine-grained authorization, and single sign-on (SSO). Proxy Server The Proxy Server provides a central point of security for all protected Web servers. All authentication, single sign-on, and entitlements are completed through the proxy server. All access by external users is centralized through the Proxy Server, and Web servers can be placed behind a firewall. 29

Entrust TruePass Entrust TruePass software provides end-to-end web security, that can allow users to digitally sign online transactions. Digital receipts are also provided to increase user confidence in the transaction. Entrust TruePass software applies digital signatures to the entire Web page, not only to the data entered by a user, to provide audit and non-repudiation capabilities. Information that is protected using Entrust TruePass software is more secure while it is in transit over the Internet, and when it is stored on the web server and back-end servers. Third-Party Products Entrust provides strategic resale and support services for the following third party products: Sun Identity Manager Sun Identity Manager provides centralized identity provisioning, password management, and identity profile management to many different applications, without the need for customization. Passlogix v-go Single Sign-On Passlogix v-go Single Sign-On utilizes various forms of initial authentication, including passwords, digital IDs, smart cards, tokens or biometrics, and is designed to seamlessly connect to mainframe, Microsoft Windows, Web or "homegrown" applications. It also enables single sign-on from computers inside or outside the firewall, whether or not the computer is connected to a network. Entrust USB Tokens Entrust USB Tokens are designed to securely store an individual's digital identity, specifically their Entrust digital certificates and keys. These portable tokens plug into a computer's USB port either directly or using a USB extension cable. When users attempt to log in to applications via the desktop, VPN/WLAN or Web portal, they will be prompted to enter their unique PIN number. If the entered PIN number matches the PIN within the Entrust USB Token, the appropriate digital credentials are passed to the network and access is granted. PIN numbers stored on the token are encrypted for added security. For more information on Entrust products visit: http://www.entrust.com/products/ 30 ENTRUST PKI AND YOU

Managing Entrust PKI Entrust PKI provides a division of responsibilities to maintain a high level of security, as shown in Figure 4. Supporting this division of responsibilities is a variety of distinct user roles, capable of carrying out the full range of tasks within Entrust PKI. The default administrator roles in Entrust PKI include Master User, Security Officer, Administrator, Directory Administrator, and Auditor. The default non-administrator role is End User. Figure 4: User roles in Entrust PKI Master Users Security Officers Auditors Administrators Directory Administrators End Users It is possible to create new administrator and end-user roles and to customize their capabilities. For example, you can create an administrator role that can only carry out certain functions, such as creating users or revoking users. 31

As another example, you can create several end-user roles, each specifying different password rules for various types of users. The following sections describe each of the Entrust PKI default user roles. Master User This role is for three highly trusted people who, along with a Security Officer, install and configure Entrust PKI. Master Users are the only users who can use Entrust Authority Security Manager Master Control. Master Users perform system-level operations involving Entrust Authority Security Manager, including starting and stopping Entrust Authority Security Manager. Documentation used by Master Users is: Entrust Authority Security Manager 7.0 Operators Guide for Windows Entrust Authority Security Manager 7.0 Operators Guide for Unix Note: Unlike other default roles, you can t modify the Master User role or use it as a basis for creating custom roles. Security Officer This role is for a few highly trusted people in your organization who will use Entrust Authority Security Manager Administration to administer sensitive Entrust PKI operations. The first Security Officer is created when you initialize Entrust PKI. Security Officers set the security policy for your organization s PKI, and supervise administrators. Security Officers use Entrust Authority Security Manager Administration to perform tasks such as: setting up Entrust PKI so that its operations conform to your organization s policies and procedures regarding security managing other administrator accounts establishing trust relationships with other Certification Authorities Documentation used by Security Officers is: Entrust Authority Security Manager Administration 7.0 User Guide You can modify this role by changing its name, the number of authorizations required for sensitive operations, and its user policy certificate. This role can be used as a basis for creating a custom role. 32 ENTRUST PKI AND YOU

Administrator This role is for any number of trusted people in your organization. For convenience, and depending on the size and nature of your user community, you may wish to have several Administrators. Administrators administer End Users. Administrators use Entrust Authority Security Manager Administration to perform tasks such as: adding, removing, and deactivating End Users revoking End User certificates recovering End Users Documentation used by Administrators is: Entrust Authority Security Manager Administration 7.0 User Guide You can modify this role by changing its name, the number of authorizations required for sensitive operations, and its user policy certificate. This role can also be used as a basis for creating a custom role. Directory Administrator This role is for any number of trusted people in your organization. Directory Administrators perform tasks that modify information listed in Entrust PKI s Directory. Directory Administrators use the Directory Browser tool in Entrust Authority Security Manager Administration to perform tasks such as: adding and deleting entries in the Directory, either in batch mode or one at a time adding, changing, and deleting attributes in Directory entries Documentation used by Directory Administrators consists of: Entrust Authority Security Manager Administration 7.0 User Guide You can modify this role by changing its name, the number of authorizations required for sensitive operations, and its user policy certificate. This role can also be used as a basis for creating a custom role. 33

Auditor This role is for any number of trusted people in your organization. Auditors have a view-only role in Entrust Authority Security Manager Administration. They can view (but not modify) audit logs, reports, security policies, and user properties. Documentation used by Auditors consists of: Entrust Authority Security Manager Administration 7.0 User Guide You can modify this role by changing its name, the number of authorizations required for operations, and its user policy certificate. This role can also be used as a basis for creating a custom role. End User This role is for non-administrative Entrust users. End Users cannot log in to Entrust Authority Security Manager Administration. End Users can be either people (members of your organization) or things (a Web site, a wireless device) the qualification being that they are granted a certificate for use within your PKI. Documentation used by End Users consists of user guides and online help which accompany the Entrust product they are using. You can modify this role by changing its name and user policy certificate. This role can also be used as a basis for creating a custom role. On the client side, the person s name and keys are encrypted, and stored as a profile. The Entrust profile is a secure file that contains a user s keys and digital certificates. Note that roaming end users do not need to carry their profiles. You can create roaming users if your organization has Entrust Authority Roaming Server. 34 ENTRUST PKI AND YOU

Deployment issues and considerations Setting up a PKI to suit your security goals involves making numerous decisions before installing any software. To assist your organization in this decision making, Entrust offers a step-by-step approach to deployment known as the Entrust Deployment Methodology. The Entrust Deployment Methodology guides organizations in successfully planning and implementing their Entrust security solution. Entrust Professional Services also offer services that support this deployment methodology. These services provide PKI planning and implementation to organizations who want to jump-start their Entrust security solution. Figure 5 provides an overview of the Entrust Deployment Methodology. Figure 5: Entrust Deployment Methodology 1. Project initiation and planning 6. Operations and maintenance 2. Requirements analysis and design 5. Deployment 3. Development and testing 4. Installation, integration, and testing The main phases are outlined below. 35

Project initiation and planning Project initiation and planning focuses on preparing for your organization s deployment of Entrust PKI. Project planning involves: determining and documenting business and PKI requirements engaging sponsors and champions within your organization engaging functional specialists within your organization scoping an initial project developing and documenting a project management plan Requirements analysis and design Requirements analysis and design involves assessing what resources, physical or otherwise, are necessary for implementing Entrust PKI. The focus is on: analyzing, designing, and documenting Certificate Policies and Certification Practices Statements documenting PKI system requirements and design documenting PKI facility needs identifying staff and training needs procuring hardware and software Development and testing Development and testing focuses on developing any necessary custom software, as well as testing all software and system components. This takes place before your PKI is installed. Development and testing involves: developing and testing custom/customized PKI components (if required) documenting your organization s PKI operations manual enhancing your facilities (if required) training PKI operations staff, registration authorities, and help desk staff 36 ENTRUST PKI AND YOU

Installation, integration, and testing In this phase your organization installs all components of the PKI. All operations are closely monitored. Installation, integration, and testing involves: installing network, firewall, hardware, operating system, and third-party software components installing Entrust Ready Directory and Web software installing Entrust software and supporting hardware integrating back-end systems testing all functionality Deployment Deployment involves running your PKI in a pilot program, followed by full rollout. Deployment consists of: engaging the pilot user community running the pilot for four to six weeks monitoring PKI usage and feedback monitoring operations staff, registration authorities, help desk staff, and performance enhancing the PKI environment as required initiating full rollout Operations and maintenance With active deployment complete and PKI usage under way, your organization now must ensure continued operation and maintenance. Operations and maintenance involves: conducting ongoing maintenance and support services leveraging the PKI and extending your company s return on investment by deploying additional PKI applications 37

Other information The Entrust Deployment Methodology offers other deployment information in addition to the phases listed above. These include: deployment tips provision of best practices identification of the project critical path identification of the most common critical success factors identification of the most common PKI deployment pitfalls provision of templates, such as a project GANTT chart For more details on PKI deployment, Entrust provides the Entrust PKI Deployment Methodology Manual. It is available to customers via download from the Extranet. Alternatively, contact Entrust (see Advising on PKIs on page 42 for details). 38 ENTRUST PKI AND YOU

Where to get assistance We are always interested in your experiences using Entrust PKI and its related products and services. Have comments/suggestions/questions? We are continually trying to improve the quality and coverage of information related to Entrust PKI. If you have any comments or questions about any aspect of Entrust PKI, send us an e-mail at entrust@entrust.com You can also visit our Web site at http://www.entrust.com/ General inquiries can be directed to the following telephone numbers: Tel: 1-972-713-5800 Fax: 1-972-713-7305 Sales inquiries: 1-888-690-2424 Telephone, e-mail, and online support Entrust offers telephone, e-mail, and online support through the Entrust Trusted Care program. Three levels of support are available depending on your needs: Silver, Gold, and Platinum. Telephone support For telephone support, simply call the appropriate number listed in your Customer Resource Kit. The Customer Resource Kit is a package made available to customers after the Entrust TrustedCare program has been purchased. You must provide your Unique ID (listed on your Customer Support Xtranet account) whenever you call. General support telephone numbers outside of North America: Platinum Level: 1-613-270-3715 Silver/Gold level: 1-613-270-3746 Toll Free: From North America: 1-877-754-7878 39

For a listing of toll free support numbers from outside North America, refer to https://www.entrust.com/trustedcare/contact/ Others: 1-613-270-3700 Fax: 1-613-270-2502 E-mail support E-mail support is offered to provide assistance for non-critical issues. Questions can be sent to support@entrust.com Online support Online support is provided through Entrust TrustedCare online. This portal contains online versions of product documentation, an information knowledge base, and problem resolutions. It also provides the ability to submit and track service requests via the Web in a secure manner. You must have an account to access this portal. You can sign up for an account at https://www.entrust.com/trustedcare/ 40 ENTRUST PKI AND YOU

Training and certification Through a variety of hands-on and elearning materials, Entrust delivers effective training in deploying, operating, administering, extending, customizing and supporting any variety of Entrust digital identity and information security solutions. Hands-On Training Delivered by training professionals, Entrust Training courses help equip you with the knowledge you need to help speed your deployment of digital identity and information security services. The following is a list of courses currently available through the training department, and the products that they cover. Entrust Authority Security Manager Comprehensive Entrust Authority Security Manager Entrust Authority Security Manager Administration Entrust Authority Security Manager Control Entrust Authority Roaming Server Entrust Entelligence Security Provider Entrust Secure Web Portal Entrust Authority Enrollment Server for Web Entrust Authority Self-Administration Server Entrust TruePass Entrust GetAccess Entrust Authority Security Manager Entrust Authority Security Manager Administration Entrust Authority Administrator Training Entrust Authority Security Manager Administration Entrust Authority Security Toolkit for Java for Developers Entrust Authority Toolkits 41

Entrust Enterprise Desktop Solutions elearning Tool Entrust Entelligence Desktop Manager Entrust Entelligence E-mail Plug-In Entrust Entelligence File Plug-In Entrust GetAccess Comprehensive Entrust GetAccess Check the Web site regularly, new courses are constantly being added and updated. http://www.entrust.com/training/ elearning The Entrust Enterprise Desktop Solutions elearning courses provide a highly effective, simple to manage, and low cost training solution. This interactive learning tool makes it possible to train numerous users in any number of locations quickly, simultaneously, and consistently. To learn more about Entrust elearning, visit http://www.entrust.com/training/elearning.htm Advising on PKIs In order to operate a PKI that performs to its greatest potential, Entrust recommends that you consult the Entrust Professional Services department. Professionals experienced in the areas of PKI planning, implementation, and deployment are available to provide a number of useful services, including: PKI security consulting PKI planning and deployment using the Entrust Deployment Methodology systems integration an in-sourcing program To contact Professional Services about these or other offerings (such as obtaining the Entrust PKI Deployment Methodology Manual), please call Entrust at 1-888-690-2424

Services Entrust offers a number of services to meet the ever-growing range of security needs, called Entrust Certificate Services. Entrust Certificate Management Services Entrust SSL Certificates make it easier and more cost-effective for administrators to manage the lifecycle of their SSL digital certificates. There are three levels to suit your needs: Standard - Single SSL Certificates Enhanced - More than 10 SSL Certificates Premium - Large Scale SSL Deployments Entrust WAP Server Certificates Entrust WAP (wireless application protocol) Server Certificates provide website identification and enable WTLS (Wireless Transport Layer Security) encryption between mobile devices, micro-browsers, and servers that support the WTLS protocol. Entrust Certificate Enrollment Service for Web Hosters Entrust Certificate Enrollment Service for Web Hosters provides Web Hosters and ISPs with the tools to offer additional value to customers. This service provides a more cost-effective method of delivering SSL server certificates transparently to their customer s web servers. For more information on Entrust Certificate Services, refer to http://www.entrust.com/certificate_services/ Further information on PKI There are a broad range of sources of information available on PKI technology. A good place to start is by referring to our whitepapers, which can be found online, at the Entrust Resource Center. You will also find a glossary containing many of the terms and words used throughout this document. http://www.entrust.com/resources/ 43

Books For a more comprehensive explanation of PKI, Entrust recommends the following book: Understanding Public-Key Infrastructure Concepts, Standards, and Deployment Considerations Co-authored by Carlisle Adams and Steve Lloyd, this book provides a thorough examination of the details surrounding PKI. This book will benefit those responsible for planning, deploying, or operating a PKI, as well as serving as an educational tool and reference guide for both novices and professionals alike. This book is available through most bookstores, or through the publisher, Addison-Wesley Professional Pub Co. ISBN: 0672323915.

Index A Administration Toolkit for C 28 administrative roles 31 Administrator about 33 documentation used 33 tasks 33 advising on PKIs 42 associating users and keys with certificates 11 asymmetric cryptography 5 audit capabilities see Entrust Secure Identity Management Solution 21 Auditor about 34 documentation used 34 tasks 34 Authentication 22 automated identity provisioning see Entrust Secure Identity Management Solution 21 automatic update of key pairs and certificates 15 B backing up data in the Entrust Authority Security Manager database 19 keys 15 Books 44 C CA See Certification Authority certificate about 11 automatic update of 15 retrieval from a certificate repository 15 revocation 15 Certification Authority about 12 enabling trust 15 services provided by 12 signing certificates 12 client software 16 core components of Entrust PKI 17 creating new administrative and end-user roles 31 cryptography 5 customer support See support D data encrypting 6 locking 6 security through the encryption key pair 5 database See Entrust Authority Security Manager database decryption about 7 decryption key See decryption private key decryption private key 5 keeping data secure using a 5 See also decryption deployment 37 See also deployment issues and considerations deployment issues and considerations about 35 See also Entrust Deployment Methodology deployment manual See Entrust Deployment Methodology Manual Desktop Manager 24 development and testing 36 See also deployment issues and considerations Digital Signature 22 digital signature about 8, 16 non-repudiation of digitally signed data 16 See also signing private key, verification public key Digital signatures 22 Directory about 19 information that is made public 19 See also certificate retrieval from a certificate repository Directory Administrator about 33 documentation used 33 tasks 33 Disk Security 25 documentation for Administrators 33 for Auditors 34 for Directory Administrators 33 for End Users 34 for Master Users 32 for Security Officers 32 Index 45

E elearning 42 E-Mail Plug-In 24 enabling trust through a Certification Authority 15 Encryption 22 encryption about 6 See also encryption key pair, symmetric-key cryptography encryption key See encryption public key encryption key pair about 5 data security 5 See also encryption public key, decryption private key encryption public key keeping data secure using an 5 See also encryption End User about 34 documentation used 34 Enhanced See Entrust Certificate Management Services Enrollment Server for SmartCards 27 Enrollment Server for VPN 27 Enrollment Server for Web 27 Entrust customer support 39?? sending comments to 39 Entrust Authority 25 Entrust Authority Security Manager about 18 access to 18 used by 32 Entrust Authority Security manager services performed 18 Entrust Authority Security Manager Administration about 18 tasks used for 18 used by 33, 34 Entrust Authority Security Manager Control about 18 Entrust Authority Security Manager database about 19 data stored in 19 Entrust Authority Toolkits 28 Entrust Certificate Enrollment Service 43 Entrust Certificate Management Services 43 Entrust Certificate Services about 43 Entrust Deployment Methodology 35 38 Entrust Deployment Methodology Manual about 38 obtaining 42 Entrust Entelligence 24 Entrust GetAccess 29 Entrust Mobile ID Server 27 Entrust PKI about 4, 17 core components 17 managing 31 Entrust Secure Data Solution 20, 22 Entrust Secure Identity Management Solution 20, 21 Entrust Secure Messaging Solution 20, 22 Entrust Secure Transaction Platform 29 Entrust Security Manager Control tasks used for 18 used by 18 Entrust TruePass 30 Entrust Trusted Care 39 Entrust USB Tokens 30 Entrust Verification Service 29 Entrust WAP Server Certificates 43 environment policy-based authorization see Entrust Secure Identity Management Solution 21 establishing trust with other PKIs 16 F File Plug-In 24 G General support telephone numbers 39 getting assistance See support glossary see Further information on PKI 43 GSS-API Toolkit for C 28 guaranteeing information in certificates See Certification Authority H Hands-On Training 41 hash code 9 hierarchical trust 16 I Identification and Entitlement Server 29 installation, integration, and testing 37 See also deployment issues and considerations IPSec Toolkit for C 28 46 ENTRUST PKI AND YOU

K key backup 15 history 15 recovery 15 See also encryption public key, decryption private key, signing private key, verification public key L locking data See encryption M managing Entrust PKI 31 See also Entrust PKI Master User about 32 documentation used 32 tasks 32 Media Security 25 Messaging Server 25 Mobile Security 25 Mobile Server 29 N networks as used by a PKI 13 traffic on 19 non-repudiation of digitally signed data 16 See also digital signature O operations and maintenance 37 See also deployment issues and considerations P Passlogix v-go Single Sign-On 30 peer-to-peer trust 16 PKCS#7 Toolkit for C/C++ 28 PKI See public-key infrastructure Policy-based access contro 22 portable tokens see Entrust USB Tokens 30 Premium See Entrust Certificate Management Services private key See decryption private key, signing private key profile 34 project initiation and planning 36 See also deployment issues and considerations Proxy Server 29 public key association with a certificate 11 See encryption public key, verification public key public-key cryptography 5 public-key infrastructure about 13 advising on 42 basis for security solutions 5 core services automatic update of key pairs and certificates 15 certificate retrieval from a certificate repository 15 certificate revocation 15 client software 16 enabling trust through a Certification Authority 15 establishing trust with other PKIs 16 key backup, history, and recovery 15 non-repudiation of digitally signed data 16 deployment issues and considerations 35 further information on 43 underlying concepts 5 R recovering keys 15 requirements analysis and design 36 See also deployment issues and considerations retrieving certificates from a certificate repository 15 revoking certificates 15 Roaming Server 26 root of trust 16 S security about 4 requirements for individuals 4 organizations 4 planners and administrators 4 through cryptography 5 Security Manager 25 Security Manager Proxy 26 Security Officer about 32 documentation used 32 tasks 32 Security Provider 24 Security Toolkit for Java 28 Index 47

Self-Administration Server 26 sending comments to Entrust 39 services Entrust Certificate Services 43 signing digital signatures See digital signature signing key See signing private key signing private key 8 single sign-on see Entrust Secure Identity Management Solution 21 SSL digital certificates 43 Standard Level See Entrust Certificate Management Services strict hierarchy 16 Sun Identity Manager 30 support 39 40 e-mail 40 online see also Entrust TrustedCare 40 telephone 39 symmetric keys 6 symmetric-key cryptography 6 W See digital signature Web Plug-In 24 WebMail Center 25 what can Entrust do for you 4 who should read this document see Welcome workflow capabilities see Entrust Secure Identity Management Solution 21 T Third Party Products 30 third-party trust 12 Timestamp Server 26 Toll Free numbers 39 training and certification 41 transparency, of services 14 trust 12, 16 hierarchical trust 16 peer-to-peer trust 16 third-party trust 12 U unlocking data See decryption user authentication to applications see Entrust Secure Identity Management Solution 21 user roles See managing Entrust PKI V verification key See verification public key Verification Plug-In for Adobe 24 verification public key 8 verifying digital signatures 48 ENTRUST PKI AND YOU