ILM 2007's position in Enterprise PKI - Policy Enforcement

Anyone that has attempted to do a "real" PKI deployment (i.e. not a "next, next, finish" deployment of Windows PKI) by The Book runs quickly into the difficulties involved in defining PKI specific policy documents - namely the Certificate Policy and the Certificate Practice Statement (CPS).  For those of you that are not familiar with either of these, or if you've deployed your PKI and you've never heard of either of these then here is why they are important.  There are three documents that are really critical to PKI planning:

1. Security Policy - this is that "thing" that, if you're lucky you already have published, or if you're like many companies I come across you're still trying to get someone to sign-off on a real/well defined security policy.  The security policy is what you refer internal consumers of your IT to when they want to know either how something should be done or why they can't do what it is they are requesting.  The security policy is really the foundation of the next two documents which can't be built without it.
2. Certificate Policy - this is more or less an adaptation of or a more focused version of the security policy with special relevance to how the issuance and use of certificates are to be inside your company.  Where the security policy is broader, the CP focuses more on how certificates are issued, used/published and revoked.
3. Certificate Practice Statement (CPS) - this document focuses more on how the various policies in the CP are enforced - what are the processes for revoking a certificate, how are certificates validated, and what happens when a CA is compromised.  This document is especially critical in B2B situations where you need to make a decision whether or not to trust another company's PKI implementation - this is done by publishing the CPS externally (in fact your certs may have a public URL pointing to your company's CPS online).  If a company really hasn't thought things through you should be able to tell by looking at their CPS.

Now enter in the certificate management facilities in Identity Lifecycle Manager 2007.  As advertised, the certificate management capability of ILM 2007 is targeted at simplifying the enormous task of managing certificates for smart card devices.  This is most evident during the initial enrollment of a new person during your company's on boarding process - someone has to actually get the certificate on to the card, validate that the person they're giving it to is actually the person they claim to be, and then by some manner communicate the PIN.  While on the surface the product seems focused at this single critical event, much of its real value is realized after enrollment through ILM's policy enforcement.  Without a tool like ILM, there really isn't a way to enforce the practices you've outlined in your CPS - so in very simplistic terms, you can think of ILM's policy enforcement as Group Policy for PKI (not really, but hopefully you get the picture).

It's very satisfying to see that ILM is in line with a broader trend that ILM 2007 is spearheading which is really a desire to map your own internal policies and processes to policies and processes which can be managed and enforced through the ILM 2007 product set.  Being able to audit and report on the enforcement of your CPS will put you way ahead of most companies and will go a long way towards satisfying any compliance related restrictions you're currently dealing with.

If you have a Microsoft PKI environment today, or are contemplating one in the near future, I strongly recommend taking a look at ILM 2007 as a very necessary component of any Enterprise PKI - ILM 2007 ships May 1st!