Understanding Pki: Concepts, Standards, and Deployment Considerations Subsequent Edition

When jumping into PKI as recently as 2018, I started with a book focused on TLS, which was my current need. I then backtracked and read RFCs such as RFC 5280, which came out after this book. In hindsight, this is the book I should have and would have started with. I would require anyone following in my footsteps related to projects that either use existing x509 certificates or establishes a new PKI to start with this book even in 2025. And even after having read the "newer" RFCs, this book still filled in the holes and cleared up my understanding of many topics. RFCs are a description of the choices that were made, the protocols that were established, and the requirements of an implementation. They are rarely a coverage of the options available, why those options were chosen, the consequences of different choices, and standard practices. A book like this is required for that information.Much of the PKI landscape is identical to when this book was covered. The differences are mostly inconsequential from a core understanding perspective. For example, today key sizes are larger, smart cards are more pervasive, most client devices have TPMs and are fully capable of generating their own private keys, and some PKI systems like PGP were rendered less valuable by unsavory characters mining web of trust stores for relationship metadata they could exploit. But all of the key concepts of cryptography, certificates, revocation, key management, ... were solved before this book was written and are much the same today.When you understand the basic cryptographic algorithms and the concepts of a chain of trust, you might think you can glean the rest. It turns out there is substantial thought built on top of these algorithms, best practices, trade offs, .... that the best minds had worked through when this book was written to create the cryptographic landscape we have today.Even newer protocols like OAuth and OIDC rely on the security provided by the underlying PKI that this book covers in order to provide their authentication, authorization, and SSO services. And this book does cover the concept and liability of bearer tokens, which is all OAuth and OIDC are from the client's perspective. The "cool" part of OAuth and OIDC is that they can and do use modern PKI to sign and validate access tokens. While not describing OAuth and OIDC, this book does list initiatives that were going on at the time such as SAML, which is the XML forerunner of the Json based OAuth/OIDC solutions.I write this being over one third of the way through the book.I would argue that other reviewers who criticized this book for not having useful information were not looking to understand the PKI landscape, issues, best practices, ... But were more likely trying to solve a specific problem in a narrow sliver of what PKI is used for.I would have loved to find a book that was for modern PKI that is much more recent and covered all currently valid ways of setting up your own PKI using either X509 certificates, JWTs, SAML, .... But I could find none. I was amazed to find how relevant this book still is in 2025. If you can find a more modern book that actually covers Public Key INFRASTRUCTURE, and not just the cryptographic algorithms or a narrow sliver of PKI such as configuring TLS, then you might choose that over this book. But if not, read this book prior to reading the RFCs which are just choices and protocols and don't provide any higher level view of PKI.

I would like to see more details, but otherwise - it is very nice introductory book.

This book does a terrific job of explaining how various applications can use PKI and what PKI requires from an infrastructure stapoint. Part III, Deployment COnsiderations, is exceptionally good at how can PKI can be used from a practical standpoint. Strikes just the right balance between theoretical and practical. Technical detail was totally sufficient for me and included everything up to but not including a discussion of the actual mathematics behind public key encyrption.Highly recommended!!

Was published in 2002 - over ten years ago. Ok, why did I buy it then? Because it appeared to be the only book I could find. Read about 80% of it. Lots of terminologies, not much in practical working examples, references a lot of RFC's (some of those RFC's are HUNDREDS of pages long). At the end, I still have much I do not know. Who knows, after I learn PKI, maybe I will write my own book!

I think this is the real question you should answer before to buy this book. If you are an IT project Manager in the security space, or a pre-sale guy used to join and drive round-tables and chat sessions where the security is the main topic, or even you you are used to hi-level discuss with CTOs around their security infrastructure, then this book might be useful for you. This is a very hi-level overview of the concepts that sits behind a Public Key Infrastructure, where "infrastructure" is the main point. There's nothing technical here inside, it's really focused on the concepts of a PKI, providing you all the terminology, the various different components and topics that a PKI includes and that you need to know, evaluate and choose when approaching a PKI implementation, but you will not find anything about the implementation itself, nothing that will explain how all these wonderful PKI theory and concepts are applied to the real world using the current technologies. I probably did a mistake myself when I bought this book, but I was at least expecting a bit more about SSL, TLS and similar protocols that are a fundamental element of any secure transaction and therefore of any security infrastructure, but I was wrong. Even accepted that this was something different then I expected, I didn't even find the writing style too good, being honest, I don't know how many times the authors use the expression "that is," to clarify a statement, but definitely too many, and in general I found the way used to describe the concepts to make this matter even more boring than normally is.

I've read many books on PKI and there are not many good ones out there. This one used to be the best among some very awful books, which wasn't saying much. It was excellent on covering the standards of PKI such as they exist, but otherwise said very little about installation, layout, protocols, and design, common problems, and real world solutions. Most of what they said was repeated multiple times throughout the book. Sometimes even on the very next paragraph. They took two/three pages just to say that the top down approach to PKI planning is better than slapping in a service just to support a single product. Stating the obvious didn't win any points with me. They discussed outdated or barely used protocols like SET, and didn't bother getting in depth at all with protocols that are in use like SSL. They discussed Single Sign On like a simple PKI install will solve all our problems, completely missing the outstanding problem of vendor interoperability. Active Directory and PKI are only mentioned in passing with no operational details. Get Klaus Schmeh's book or the Housley book instead.