Home > Store

Understanding PKI: Concepts, Standards, and Deployment Considerations, 2nd Edition

Register your product to gain access to bonus material or receive a coupon.

Understanding PKI: Concepts, Standards, and Deployment Considerations, 2nd Edition

Book

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2003
  • Edition: 2nd
  • Book
  • ISBN-10: 0-672-32391-5
  • ISBN-13: 978-0-672-32391-1

PKI (public-key infrastructure) enables the secure exchange of data over otherwise unsecured media, such as the Internet. PKI is the underlying cryptographic security mechanism for digital certificates and certificate directories, which are used to authenticate a message sender. Because PKI is the standard for authenticating commercial electronic transactions, Understanding PKI, Second Edition, provides network and security architects with the tools they need to grasp each phase of the key/certificate life cycle, including generation, publication, deployment, and recovery.

Sample Content

Online Sample Chapter

Public-Key Certificates and Certification

Downloadable Sample Chapter

Click below for Sample Chapter(s) related to this title:
Sample Chapter 6

Table of Contents



Foreword.


Preface.


About the Authors.

I. CONCEPTS.

1. Introduction.
2. Public-Key Cryptography.

Symmetric versus Asymmetric Ciphers.

Secret Key.

New Directions: Public Key.

Public/Private-Key Pair.

Services of Public-Key Cryptography.

Security between Strangers.

Encryption.

Digital Signature.

Data Integrity.

Key Establishment.

Other Services.

Algorithms.

RSA.

DSA.

DH.

ECDSA and ECDH.

SHA-1.

Ongoing Work.

Summary.

3. The Concept of an Infrastructure.

Pervasive Substrate.

Application Enabler.

Secure Sign-On.

End-User Transparency.

Comprehensive Security.

Business Drivers.

Public-Key Infrastructure Defined.

Certification Authority.

Certificate Repository.

Certificate Revocation.

Key Backup and Recovery.

Automatic Key Update.

Key History.

Cross-Certification.

Support for Non-repudiation.

Time Stamping.

Client Software.

Summary.

4. Core PKI Services: Authentication, Integrity, and Confidentiality.

Definitions.

Authentication.

Integrity.

Confidentiality.

Mechanisms.

Authentication.

Integrity.

Confidentiality.

Operational Considerations.

Performance.

Online versus Offline Operation.

Commonality of Underlying Algorithms.

Entity Naming.

Summary.

5. PKI-Enabled Services.

Secure Communication.

Secure Time Stamping.

Notarization.

Non-repudiation.

Connection with Other Services.

Need for Secure Data Archive.

Complexity of This Service.

The Human Factor.

Privilege Management.

Authentication and Authorization.

Authorization Authorities.

Delegation.

Connection with the PKI.

Privacy.

Mechanisms Required to Create PKI-Enabled Services.

Digital Signatures, Hashes, MACs, and Ciphers.

Trusted Time Sources.

Privilege Policy Creation Mechanism.

Privilege Policy Processing Engines.

Privilege Management Infrastructure Mechanisms.

Privacy Architecture.

Operational Considerations.

Trusted Time Delivery Mechanism.

Secure Protocols.

Server Redundancy.

Physically Secure Archive Facilities.

Privacy Certificates and Identity Mapping.

Real Life.

Comprehensive PKI and Current Practice.

Summary.

6. Certificates and Certification.

Certificates.

Digital Certificate.

Certificate Structure and Semantics.

Alternative Certificate Formats.

Certificate Policies.

Object Identifiers.

Policy Authorities.

Certification Authority.

Registration Authority.

Summary.

7. Key and Certificate Management.

Key/Certificate Life-Cycle Management.

Initialization Phase.

Issued Phase.

Cancellation Phase.

Summary.

8. Certificate Revocation.

Periodic Publication Mechanisms.

Certificate Revocation Lists (CRLs).

Complete CRLs.

Certification Authority Revocation Lists (CARLs).

End-Entity Public-Key Certification Revocation Lists (EPRLs).

CRL Distribution Points.

Redirect CRLs.

Delta and Indirect Delta CRLs.

Indirect CRLs.

Certificate Revocation Trees (CRTs).

Online Query Mechanisms.

Online Certificate Status Protocol (OCSP).

Simple Certificate Validation Protocol (SCVP).

Other Revocation Options.

Performance, Scalability, and Timeliness.

Summary.

9. Trust Models.

Strict Hierarchy of Certification Authorities.

Loose Hierarchy of Certification Authorities.

Policy-Based Hierarchies.

Distributed Trust Architecture.

Mesh Configuration.

Hub-and-Spoke Configuration.

Four-Corner Trust Model.

Web Model.

User-Centric Trust.

Cross-Certification.

Entity Naming.

Certificate Path Processing.

Path Construction.

Path Validation.

Trust Anchor Considerations.

Summary.

10. Multiple Certificates per Entity.

Multiple Key Pairs.

Key Pair Uses.

Relationship between Key Pairs and Certificates.

Real-World Difficulties.

Independent Certificate Management.

Support for Non-repudiation.

Summary.

11. PKI Information Dissemination: Repositories and Other Techniques.

Private Dissemination.

Publication and Repositories.

Locating Repositories 162Tradeoffs.

Interdomain Repository Issues and Options.

Direct Access.

Border Repository.

Shared Repository.

Interdomain Replication.

In-band Protocol Exchange.

Summary.

12. PKI Operational Considerations.

Client-Side Software.

Off-line Operations.

Physical Security.

Hardware Components.

User Key Compromise.

Disaster Preparation and Recovery.

Relying Party Notification.

Preparation.

Recovery.

Additional Observations.

Summary.

13. Electronic Signature Legislation and Considerations.

Electronic Signature Legislation.

E-Sign.

Digital Signatures in Context.

EU Electronic Signature Directive.

The Significance of Electronic Signature Initiatives.

Legal Considerations for PKIs.

CA Requirements.

Roles and Responsibilities.

Private Enterprise PKIs.

Other Contractual-Based Frameworks.

Confidentiality.

Summary.

14. PKI in Practice.

What PKI Does.

What PKI Does Not Do.

The Value of PKI.

When Certificates and People Meet.

An E-mail Scenario.

A Web Scenario.

Summary.

15. The Future of PKI.

What Happened?

How the World Is Changing.

A Recognized Authoritative Body.

A Motivation.

Users.

Reasons for Cautious Optimism.

Summary.

16. Conclusions and Further Reading.

Conclusions.

Suggestions for Further Reading.

II. STANDARDS.

17. Introduction.
18. Major Standards Activities.

X.509.

PKIX.

X.500.

LDAP.

ISO TC68.

ANSI X9F.

S/MIME.

IPsec.

TLS.

SPKI.

OpenPGP.

EDIFACT.

IEEE.

WAP.

XML-Based Activities.

Other Activities.

U.S. FPKI.

MISPC.

GOC PKI.

SET.

SEMPER.

ECOM.

JCP.

ICE-CAR.

Summary.

19. Standardization Status and Road Map.

Current Standardization Status.

X.509.

PKIX.

X.500.

LDAP.

S/MIME.

IPsec.

TLS.

Toolkit Requirements (APIs and Mechanisms).

Others.

Ongoing Standardization Work.

Summary.

20. Standards: Necessary but Not Sufficient.

The Role of Standards, Profiles, and Interoperability Testing.

Profiles and Interoperability Testing.

Interoperability Initiatives.

Automotive Network eXchange.

Bridge CA Demonstration.

Federal PKI.

Minimum Interoperability Specification.

National Automated Clearing House Association.

PKI X.509.

Securities Industry Root CA Proof of Concept.

EEMA PKI Challenge.

Summary.

21. Conclusions and Further Reading.

Conclusions.

Suggestions for Further Reading.

Certificate/CRL Syntax and Life-Cycle Management Protocols.

Certificate/CRL Storage and Retrieval.

XML-Based Initiatives.

Interoperability Initiatives.

Standards Bodies' Web Sites.

Books.

III. DEPLOYMENT CONSIDERATIONS.

22. Introduction.
23. Benefits and Costs of a PKI.

Business Case Considerations.

Cost Considerations.

Deployment: Now or Later?

Summary.

24. Deployment Issues and Decisions.

Trust Models: Hierarchical versus Distributed.

In-sourcing versus Out-sourcing.

Build versus Buy.

Closed versus Open Environment.

X.509 versus Alternative Certificate Formats.

Targeted Applications versus Comprehensive Solution.

Standard versus Proprietary Solutions.

Interoperability Considerations.

Certificate and CRL Profiles.

Multiple Industry-Accepted Standards.

PKI-Enabled Applications.

Policy/Business Control Issues.

On-line versus Off-line Operations.

Peripheral Support.

Facility Requirements.

Personnel Requirements.

Certificate Revocation.

End-Entity Roaming.

Key Recovery.

Repository Issues.

Disaster Planning and Recovery.

Security Assurance.

Mitigating Risk.

Summary.

25. Barriers to Deployment.

Repository Issues.

Lack of Industry-Accepted Standard.

Multivendor Interoperability.

Scalability and Performance.

Knowledgeable Personnel.

PKI-Enabled Applications.

Corporate-Level Acceptance.

Summary.

26. Typical Business Models.

Internal Communications Business Model.

External Communications Business Model.

Business-to-Business Communication.

Business-to-Consumer Communication.

Internal/External Business Model Hybrids.

Business Model Influences.

Government-Sponsored Initiatives.

Interdomain Trust.

Identrus.

Bridge CA.

VeriSign Trust Network.

GTE CyberTrust/Baltimore Technologies OmniRoot.

Other Trust Networks.

Summary.

27. Conclusions and Further Reading.

Conclusions.

Suggestions for Further Reading.

References.
Index. 0672323915T10162002

Preface

Without doubt, the promise of public-key infrastructure (PKI) technology has attracted a significant amount of attention in the last few years. Hardly a week goes by without some facet of PKI being addressed in a newspaper, trade journal, or conference paper. We hear and read about the promise of authentication and non-repudiation services provided through the use of digital signature techniques and about confidentiality and key management services based on a combination of symmetric and asymmetric cryptography—all facilitated through the realization of a supporting technology referred to as PKI. In fact, many people consider the widespread deployment of PKI technology to be an important enabler of secure global electronic commerce.

Although the foundation for PKI was established over two decades ago with the invention of public-key cryptography, PKI technology has been offered as a commercially viable solution only within the last few years. But what started as a handful of technology vendors a few years ago has seen the birth of dozens, perhaps hundreds, of products that offer one form or another of PKI-related service. Further, the commercial demand for PKI-based services remains strong, and available evidence suggests that this will continue for the foreseeable future.

Still, as a technology, PKI is fairly new. And to many, PKI technology is shrouded in mystery to some extent. This situation appears to be exacerbated by the proliferation of conflicting documentation, standards, and vendor approaches. Furthermore, there are few comprehensive books devoted to PKI that provide a good introduction to its critical concepts and technology fundamentals.

Thus, the authors share a common motivation in writing this book: to provide a vendor-neutral source of information that can be used to establish a baseline for understanding PKI. In this book, we provide answers to many of the fundamental PKI-related questions, including

  • What exactly is a PKI?
  • What constitutes a digital signature?
  • What is a certificate?
  • What is certificate revocation?
  • What is a Certification Authority (CA)?
  • What are the governing standards?
  • What are the issues associated with large-scale PKI deployment within an enterprise?
  • These are just some of the questions we explore in this book.

    Motivations for PKI

    It is important to recognize that PKI is not simply a "neat" technology without tangible benefits.When deployed judiciously, PKI offers certain fundamental advantages to an organization, including the potential for substantial cost savings. PKI can be used as the underlying technology to support authentication, integrity, confidentiality, and non-repudiation. This is accomplished through a combination of symmetric and asymmetric cryptographic techniques enabled through the use of a single, easily managed infrastructure rather than multiple security solutions. (See Chapter 2, Public-Key Cryptography; Chapter 3, The Concept of an Infrastructure; Chapter 4, Core PKI Services: Authentication, Integrity, and Confidentiality; and Chapter 5, PKI-Enabled Services.) PKI offers scalable key management in that the overhead associated with the distribution of keying material to communicating parties is reduced significantly when compared with solutions based solely on symmetric cryptography. (See Chapter 2 for a description of symmetric and asymmetric cryptographic techniques.) Ultimately, however, the primary motivations from a business standpoint are not technical but economic: How can PKI give a positive return on investment? To that end, judicious deployment of a single, unifying PKI technology can help, among other things

  • Reduce administrative overhead (when compared with the deployment of multiple point solutions)
  • Reduce the number of passwords required by end users (and, consequently, the administrative and help desk costs associated with managing them)
  • Reduce paperwork and improve workflow efficiencies through more automated (and more secure) business processes
  • Optimize work-force productivity (by ensuring that users spend less time contending with the security infrastructure and more time on the job at hand)
  • Reduce requirements for end-user training related to the use of the security services (because there is one security solution rather than many)
  • Not only does PKI technology have the potential to realize cost savings, but in some cases it also might even be a source of revenue for an organization (through support for new services that might otherwise not be offered). Benefits and related business considerations associated with PKI technology are discussed further in Part III, Deployment Considerations.

    Changes in the Second Edition

    The world, and PKI's place in the world, has evolved somewhat since the first edition of this book was written. Like many technologies, PKI has experienced the highs and lows of media attention and analyst focus: In three short years, the descriptions have covered the spectrum from "silver bullet" to "snake oil." There is still confusion regarding naming of entities and the use of PKI in real-world business applications such as e-mail. Occasionally, the long-term viability of PKI is questioned in journals or trade publications. In this second edition, two new chapters have been added to address precisely these areas:

  • Chapter 14, PKI in Practice, looks at the use of this technology in the real world and tries to clarify where PKI can be beneficial and where it cannot.
  • Chapter 15, The Future of PKI, is based upon an observation of how the world has been evolving and attempts to answer the question: Will this technology survive and, if so, why?
  • For the most part, however, the roller coaster of public opinion has now largely stabilized. There is general consensus that PKI is one viable option for a good, solid authentication technology with a number of appealing benefits compared with other technologies. In conjunction with this, PKI itself has matured and evolved to better meet the needs of the environments that might deploy it and rely on it for various services. In this edition, changes and additions have been made throughout the book to capture and explain this evolution. Some specific examples include the following:

  • Chapter 5, PKI-Enabled Services, now includes a section on privacy as a service that may be enabled by a PKI.
  • Chapters 6, Certificates and Certification, and 8, Certificate Revocation, have been updated to reflect new extensions and clarification text that were introduced in the X.509 (2000) standard.
  • Chapter 9, Trust Models, now incorporates material on several additional trust models that may be appropriate in some environments.
  • Chapter 13, Electronic Signature Legislation and Considerations, has been revised and updated to reflect the significant progress that has been made in that area since late 1999. * The whole of Part II, Standards, has been updated to incorporate the latest achievements in that area, as well as the new initiatives that have been started, especially in the eXtensible Markup Language (XML) standards bodies. Numerous other, more minor, updates and revisions may be found throughout the book.
  • Audience

    The main purpose of this book is to provide a fairly comprehensive overview that will help the reader better understand the technical and operational considerations behind PKI technology. You will benefit from this book if you are responsible for the planning, deployment, and/or operation of an enterprise PKI. Those who are simply interested in the basic principles behind a PKI should also find this book useful.

    We hope that this book will become an educational tool for many and a handy reference guide for others. This book is not intended to resolve extremely detailed implementation questions, although it can serve as a primer for someone who will eventually be more interested in the finer implementation details.

    Organization

    The book is organized into three parts. Part I provides essential background information necessary to better understand the concepts and principles behind PKI. Part II addresses standards and related activities (for example, industry-sponsored interoperability initiatives) related to PKI. There are two primary purposes for including this section in the book:

    1. It provides an overview of the major standards bodies involved in the PKI arena and discusses the main focus of each group, giving a road map to some of these activities.
    2. It demonstrates the relative maturity and stability of this area, highlighting the fact that a solid basis for implementation and interoperability has already been laid.

    Part III discusses PKI deployment considerations, providing guidance for some of the initial and fundamental decisions that must be made prior to any PKI deployment.

    Part I: Concepts

    Part I of this book deals with fundamental PKI concepts. This includes background information (for example, a primer on cryptography is included), as well as detailed information with respect to public-key certificates and certificate revocation schemes.

    Chapter 1, Introduction, introduces Part I and provides a list of the contents of Part I on a chapter-by-chapter basis.

    Chapter 2, Public-Key Cryptography, provides a brief, nonmathematical introduction to the concepts of public-key cryptography relevant to the material presented throughout the remainder of the book. It includes the distinction between symmetric and public-key ciphers, the concept of a key pair, the services of this technology, terminology, and sample algorithms.

    Chapter 3, The Concept of an Infrastructure, discusses an infrastructure, highlighting its usefulness as an application enabler, its role in secure single sign-on, and its capability to provide end-user transparency and comprehensive security. This chapter also provides a working definition of PKI.

    Chapter 4, Core PKI Services: Authentication, Integrity, and Confidentiality, and Chapter 5, PKI-Enabled Services, examine services that a PKI can provide. Chapter 4 discusses the core services of authentication, integrity, and confidentiality; Chapter 5 looks at PKI-enabled services such as digital time stamping, notarization, non-repudiation, and privilege management.

    Chapter 6, Certificates and Certification, introduces the concept of a certificate and discusses the process of certification. Certificate contents and format are described, along with the role of a Certification Authority (CA) and a Registration Authority (RA).

    Chapter 7, Key and Certificate Management, looks at the whole area of key/certificate lifecycle management, including generation, publication, update, termination, key history, key backup, and key recovery.

    Chapter 8, Certificate Revocation, discusses common techniques for certificate revocation, including both periodic publication mechanisms and on-line query mechanisms.

    Chapter 9, Trust Models, examines the concept of trust models. Strict hierarchies, loose hierarchies, policy-based hierarchies, distributed architectures, the four-corner model, the Web model, user-centric trust, and cross-certification are presented and compared. We also discuss certificate path processing in this chapter.

    Chapter 10, Multiple Certificates per Entity, includes an examination of key pair uses, support for non-repudiation, and independent certificate management.

    Chapter 11, PKI Information Dissemination: Repositories and Other Techniques, looks at the area of certificate dissemination and repositories. Options for sharing public-key-related information between two or more cooperating PKI domains are discussed.

    Chapter 12, PKI Operational Considerations, discusses client-side software, on-line requirements, physical security, and disaster planning/recovery, along with tradeoffs between system security and ease of use.

    Chapter 13, Electronic Signature Legislation and Considerations, discusses some of the recent legislation and directives that pertain to electronic signatures and clarifies some of the terminology associated with various forms of electronic signatures, including digital signatures. Some of the requirements and obligations that may apply to Certification Authorities (CAs), subscribers, and relying parties are briefly discussed.

    Chapter 14, PKI in Practice, focuses on the use of PKI in the real world and tries to clarify some common misunderstandings and sources of confusion about what PKI can do and what it can't do (and was never intended to do).

    Chapter 15, The Future of PKI, considers this oft-posed question: Why has PKI not "taken off" yet? This chapter offers an opinion about why PKI adoption has been slower than many people expected and discusses—with a view to emerging trends in the industry—the future of PKI.

    Chapter 16, Conclusions and Further Reading, concludes Part I and suggests some sources to consult for further reading in this area.

    Part II: Standards

    Part II of this book addresses standards activities and interoperability initiatives.

    Chapter 17, Introduction, introduces Part II and provides a list of the contents of Part II on a chapter-by-chapter basis.

    Chapter 18, Major Standards Activities, discusses some of the most prominent activities taking place within formal standards bodies, as well as related efforts being undertaken outside the standards bodies.

    Chapter 19, Standardization Status and Road Map, provides the current and projected nearterm standardization status of some of the most significant specifications.

    Chapter 20, Standards: Necessary but Not Sufficient, considers the fact that the existence of a "standard," whether it is the product of a formal standards body or not, is necessary but not sufficient to guarantee that the products of different vendors will interoperate with one another. Some of the reasons for this are given, along with a discussion of the usefulness of profiling activities and interoperability pilots.

    Finally, Chapter 21, Conclusions and Further Reading, provides concluding remarks and some suggestions for further reading.

    Part III: Deployment Considerations

    Part III of this book addresses deployment. Not intended to be a deployment handbook, this part of the book primarily identifies many of the deployment questions that should be asked (and answered) when considering any large-scale enterprise PKI deployment.

    Chapter 22, Introduction, introduces Part III and provides a list of the contents of Part III on a chapter-by-chapter basis.

    Chapter 23, Benefits and Costs of a PKI, discusses the benefits realized through the deployment of a PKI. It also discusses cost considerations. This chapter helps identify sound business reasons for deploying a PKI in the enterprise environment.

    Chapter 24, Deployment Issues and Decisions, discusses a number of issues that should be resolved before initial deployment occurs. Essentially, this chapter provides a basic foundation for product selection.

    Chapter 25, Barriers to Deployment, addresses some of the more common hurdles to deployment,issues that one must consider in terms of long-term strategy.

    Chapter 26, Typical Business Models, explains some of the more common business models one may want to implement. It also provides a brief discussion of some initiatives that can be used as a basis to establish interdomain trust.

    Chapter 27, Conclusions and Further Reading, concludes Part III and offers suggestions for further reading.

    Vendor-Neutral Policy

    We would like to emphasize that we have made every attempt to ensure that this book is as vendor neutral as possible. In fact, some of the original text has been modified at the request of one or more reviewers when (unintentionally) it even remotely appeared that we were advocating one approach over another. As authors, we are describing in this book our "vision" of what constitutes a comprehensive PKI. Although this viewpoint occasionally aligns more closely with some environments and certain specific vendor products than others, we hasten to point out that we are not aware of any one vendor that offers all the services that are described within this book.

    We also recognize that some environments are necessarily more closely aligned with a subset of the components and services described herein (because of their specific requirements and target users), and we fully understand that these environments may never need to fully align with what we refer to as a comprehensive PKI. This is as it should be. This book is not about the "Internet PKI," nor is it meant to be limited to the "enterprise PKI"—although, arguably, the enterprise environment is closer today to our notion of the comprehensive PKI than many alternative deployment environments. This book attempts to describe all aspects of a PKI; specific environments will implement subsets as needed. We have provided a discussion of some of today's PKI variations at the end of Chapter 5 in order to clarify these concepts.



    0672323915P10162002

    Index

    Click below to download the Index file related to this title:
    Index

    Updates

    Submit Errata

    More Information

    InformIT Promotional Mailings & Special Offers

    I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

    Overview


    Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

    This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

    Collection and Use of Information


    To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

    Questions and Inquiries

    For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

    Online Store

    For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

    Surveys

    Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

    Contests and Drawings

    Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

    Newsletters

    If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

    Service Announcements

    On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

    Customer Service

    We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

    Other Collection and Use of Information


    Application and System Logs

    Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

    Web Analytics

    Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

    Cookies and Related Technologies

    This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

    Do Not Track

    This site currently does not respond to Do Not Track signals.

    Security


    Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

    Children


    This site is not directed to children under the age of 13.

    Marketing


    Pearson may send or direct marketing communications to users, provided that

    • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
    • Such marketing is consistent with applicable law and Pearson's legal obligations.
    • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
    • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

    Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

    Correcting/Updating Personal Information


    If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

    Choice/Opt-out


    Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

    Sale of Personal Information


    Pearson does not rent or sell personal information in exchange for any payment of money.

    While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

    Supplemental Privacy Statement for California Residents


    California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

    Sharing and Disclosure


    Pearson may disclose personal information, as follows:

    • As required by law.
    • With the consent of the individual (or their parent, if the individual is a minor)
    • In response to a subpoena, court order or legal process, to the extent permitted or required by law
    • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
    • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
    • To investigate or address actual or suspected fraud or other illegal activities
    • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
    • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
    • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

    Links


    This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

    Requests and Contact


    Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

    Changes to this Privacy Notice


    We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

    Last Update: November 17, 2020