Jeff Stapleton

Public Key Infrastructure (PKI) is an operational ecosystem that employs key management, cryptography, information technology (IT), information security (cybersecurity), policy and practices, legal matters (law, regulatory, contractual, privacy), and business rules (processes and procedures). A properly managed PKI requires all of these disparate disciplines to function together – coherently, efficiently, effectually, and successfully. Clearly defined roles and responsibilities, separation of duties, documentation, and communications are critical aspects for a successful operation. PKI is not just about certificates, rather it can be the technical foundation for the elusive "crypto-agility," which is the ability to manage cryptographic transitions. The second quantum revolution has begun, quantum computers are coming, and post-quantum cryptography (PQC) transitions will become PKI operation’s business as usual.

Public Key Infrastructure (PKI) is an operational ecosystem that employs key management, cryptography, information technology (IT), information security (cybersecurity), policy and practices, legal matters (law, regulatory, contractual, privacy), and business rules (processes and procedures). A properly managed PKI requires all of these disparate disciplines to function together – coherently, efficiently, effectually, and successfully. Clearly defined roles and responsibilities, separation of duties, documentation, and communications are critical aspects for a successful operation. PKI is not just about certificates, rather it can be the technical foundation for the elusive "crypto-agility," which is the ability to manage cryptographic transitions. The second quantum revolution has begun, quantum computers are coming, and post-quantum cryptography (PQC) transitions will become PKI operation’s business as usual.

Security without Obscurity: Frequently Asked Questions (FAQ) complements Jeff Stapleton’s three other Security without Obscurity books to provide clear information and answers to the most commonly asked questions about information security (IS) solutions that use or rely on cryptography and key management methods. There are good and bad cryptography, bad ways of using good cryptography, and both good and bad key management methods. Consequently, information security solutions often have common but somewhat unique issues. These common and unique issues are expressed as an FAQ organized by related topic areas.The FAQ in this book can be used as a reference guide to help address such issues. Cybersecurity is based on information technology (IT) that is managed using IS controls, but there is information, misinformation, and disinformation. Information reflects things that are accurate about security standards, models, protocols, algorithms, and products. Misinformation includes misnomers, misunderstandings, and lack of knowledge. Disinformation can occur when marketing claims either misuse or abuse terminology, alluding to things that are inaccurate or subjective. This FAQ provides information and distills misinformation and disinformation about cybersecurity.This book will be useful to security professionals, technology professionals, assessors, auditors, managers, and hopefully even senior management who want a quick, straightforward answer to their questions. It will serve as a quick reference to always have ready on an office shelf. As any good security professional knows, no one can know everything.

Security without Obscurity: Frequently Asked Questions (FAQ) complements Jeff Stapleton’s three other Security without Obscurity books to provide clear information and answers to the most commonly asked questions about information security (IS) solutions that use or rely on cryptography and key management methods. There are good and bad cryptography, bad ways of using good cryptography, and both good and bad key management methods. Consequently, information security solutions often have common but somewhat unique issues. These common and unique issues are expressed as an FAQ organized by related topic areas.The FAQ in this book can be used as a reference guide to help address such issues. Cybersecurity is based on information technology (IT) that is managed using IS controls, but there is information, misinformation, and disinformation. Information reflects things that are accurate about security standards, models, protocols, algorithms, and products. Misinformation includes misnomers, misunderstandings, and lack of knowledge. Disinformation can occur when marketing claims either misuse or abuse terminology, alluding to things that are inaccurate or subjective. This FAQ provides information and distills misinformation and disinformation about cybersecurity.This book will be useful to security professionals, technology professionals, assessors, auditors, managers, and hopefully even senior management who want a quick, straightforward answer to their questions. It will serve as a quick reference to always have ready on an office shelf. As any good security professional knows, no one can know everything.

Most books on public key infrastructure (PKI) seem to focus on asymmetric cryptography, X.509 certificates, certificate authority (CA) hierarchies, or certificate policy (CP), and certificate practice statements. While algorithms, certificates, and theoretical policy are all excellent discussions, the real-world issues for operating a commercial or private CA can be overwhelming.Security without Obscurity: A Guide to PKI Operations provides a no-nonsense approach and realistic guide to operating a PKI system. In addition to discussions on PKI best practices, the book supplies warnings against bad PKI practices. Scattered throughout the book are anonymous case studies identifying both good and bad practices.The highlighted bad practices, based on real-world scenarios from the authors’ experiences, illustrate how bad things are often done with good intentions but cause bigger problems than the original one being solved.This book offers readers the opportunity to benefit from the authors’ more than 50 years of combined experience in developing PKI-related policies, standards, practices, procedures, and audits, as well as designing and operating various commercial and private PKI systems.

Information security has a major gap when cryptography is implemented. Cryptographic algorithms are well defined, key management schemes are well known, but the actual deployment is typically overlooked, ignored, or unknown. Cryptography is everywhere. Application and network architectures are typically well-documented but the cryptographic architecture is missing. This book provides a guide to discovering, documenting, and validating cryptographic architectures. Each chapter builds on the next to present information in a sequential process. This approach not only presents the material in a structured manner, it also serves as an ongoing reference guide for future use.

Information security has a major gap when cryptography is implemented. Cryptographic algorithms are well defined, key management schemes are well known, but the actual deployment is typically overlooked, ignored, or unknown. Cryptography is everywhere. Application and network architectures are typically well-documented but the cryptographic architecture is missing. This book provides a guide to discovering, documenting, and validating cryptographic architectures. Each chapter builds on the next to present information in a sequential process. This approach not only presents the material in a structured manner, it also serves as an ongoing reference guide for future use.