PKI: ...and the Ugly

PKI can appear to be hyped. It may meet a lot of needs, but there are weaknesses in the system - worse, there are weaknesses that aren't technological, they're human in nature.

PKI can appear to be hyped. It may meet a lot of needs, but there are weaknesses in the system - worse, there are weaknesses that aren't technological, they're human in nature.

One realizes after a while that the entire infrastructure is really built on trust. The certification authority (CA) is considered 'trusted', and so the digital certificate is 'trusted', and so on. In turn, the people using the system to do business believe each other to be worthy of trust and therefore complete the transaction.

But trust is not a technological variable - it's a human value. Humans are the ones that assign values to the system, profiling them as trusted assets. A CA is trusted because someone says so, either by following a set of guidelines that were drafted out by someone else, or because there's a relational aspect that isn't seen (i.e. corporate ties).

Because certificates and keys need to be managed, problems will be encountered along the way. Directories need to be updated promptly, not to mention be secure from tampering, either physically or electronically.

Different CAs will also have varying standards when it comes to management policies of certificates, even to the point of having different kinds of information being stored in them, aside from the name of the CA, the public key and the user's name.

And because its an entire process, one has to ensure that the entire process is secure - right up to the desktop user, which is known notoriously as having the worst security.

Already in certain areas of the United States, there are laws binding the owner of the digital signature to whatever communiqué has been signed with it - whether or not it was him who sent it.

But one of the main problems arises upon considering interoperability. There are currently standards being worked out at the moment, and technologically speaking everything is in place to ensure interoperable, multi-vendor PKI. That is, if everyone else plays along, and you can be sure that not everyone does.

Recognizing the authority of CAs across borders, as well as cross-border legalities are issues that are still being hammered out. The need for these issues is even more pressing in Asia because of the different polarities of government stances and different rates of technological advancement.

Read more about PKI in Asia.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All