July 19, 2011, 7:53 p.m.
posted by gelassen
The dream of PKI was to issue a Digital Certificate to everyone which they would store on a smart cart, electronic token, floppy disk, or similar device. When a person wanted to conduct a bank transaction, she would insert her certificate token into a reader and would be automatically identified. When she was finished with her banking, she could board a bus and place her token on the reader which would verify that she has a monthly transportation card. Then, when she got home, she could log on to her favorite online shopping site and run her token through the reader. That would give the shopping site her name, address, store account number, and credit card number. So why isn’t this type of PKI a reality? Compatibility is the big issue. Not all computer networks and software applications work the same way. It would require enormous cooperation amongst vendors and network owners to change their systems in order for them to be completely compatible with everyone else’s.
Because there are so many different operating systems, different versions of operating systems, and different software programs and versions, this would be an enormous and expensive undertaking.
The other problem with a world-wide compatible PKI system is that of ownership. No one involved would be able to agree upon the setup of a central authority to be the CA. Some claim this would be a governmental responsibility while others feel that it should be run more like a public utility. The issue is trust. Who would you ultimately trust with all the Digital Certificates issued in the world? And who would fund such a project?
Therefore, PKI is mainly used for secure transactions between companies or governmental agencies. An e-commerce Web site that uses SSL for encryption is a portion of PKI system. Encrypted e-mail is also another transaction that may be a part of a PKI system. Some companies or agencies may want all staff to digitally sign any documents they’ve created. Because a digital signature is derived from a Digital Certificate and its key, this is also part of a PKI system. There are so many possible scenarios and solutions it’s almost impossible to list them all. However, PKI in the workplace is usually tied to three things:
Identifying system users
Using Digital Certificates to describe access permissions
Using Digital Certificates to encrypt email and other data
If you’re a small company and can’t afford an expensive PKI system; especially if you just want to do a few things, you’re much better off using PGP. PGP is a type of PKI solution without all the overhead. Instead of depending upon Certificate Authorities and key servers, you rely upon a circle of trusted colleagues and acquaintances to verify your identity and you use free public key servers to distribute your public keys. It works well for small organizations, but it can get really complicated for large ones. I’ve heard through the grapevine that PGP Corporation (www.pgp.com) is close to releasing a full PKI solution in a box. I’ll be interested to see how it works in real life.
PKI can be used to indicate a company’s commitment to maintaining a secure infrastructure. Note that PKI is not used to replace any security policies or procedures, but it can be used to strengthen implementation. Because Digital Certificates can be used to control access to computers, networks, and documents, it can help keep unauthorized personnel out. If all documents are digitally signed by their creators, then you can also control the integrity of your data and also tie ultimate responsibility to the data’s creator. It’s difficult for someone to say they didn’t write a particular memo if their digital signature is on it.
Governments are beginning to require that PKI be used for secure transactions in certain industries and with certain types of data. There are many state governments and foreign government agencies that require that a PKI system be in place before you can do business with them. These government
entities want to make sure they can identify users, control their access, and encrypt communications. In some situations, legislation has been written to make PKI a legal requirement.
Here are the URLs for some of the United States regulations concerning the use of PKI:
Because there is a call amongst people to initiate electronic voting of some kind, I wouldn’t be surprised to see PKI being examined as a possible solution. Because it is used for authentication and encryption, that could solve the problems of identifying the users and encrypting their votes. There would need to be much stricter standards for PKI than there are now to use it for electronic voting, but if it makes sense on the money side, you can be sure that some states will at least consider it.