Public key infrastructure (PKI), which was supposed to use public-key cryptography to set up a worldwide network of bodies authenticating digital signatures and certificates, has failed to take off because it is too complicated.
According to experts speaking at the RSA security conference in Paris, PKIs are simply more heavyweight than users were ready for, and key initiatives had failed to drive it into use.
"There are barriers of cost to PKI," said Craig Mundie, chief technology officer of Microsoft. "In general it will end up viewed as a heavyweight mechanism, compared to lower value mechanisms." He likened the requirement to that for multiple locks, from luggage locks to bank vaults.
"There are two things driving adoption of security techniques: cost and usability. If it is too hard to use or costs too much, users will reject it."
According to Whitfield Diffie, chief security officer of Sun Microsystems, the slow progress of PKI is due to the failure of big projects to promote it. "PKI will take off, but it has slow growth," said Diffie. "Two organisations in the US could have promoted it -- AT&T and the US National Security Agency (NSA). AT&T was broken up, and the NSA was balled up in policy initiatives. No one else has deep enough pockets or the moral authority to get PKI established."
The problem is that PKI is only really valuable when everyone else has it, said Diffie. "When only a few people have it, it is not worth adopting." In the mid-90s, NSA wanted to mandate an extra PCMCIA slot on laptops, said Diffie, which could be dedicated to authenticating users through a token on a PC card. The idea stalled, and no comparable scheme to introduce PKI has emerged.
There are still government-backed projects attempting to push the introduction of PKI. Microsoft is involved (along with Baltimore, RSA and Verisign) in one of these -- the PKI Challenge, a two-year project to test interoperability of PKI, backed by the EU and run by EEMA. Formerly known as the European Electronic Messaging Association, and dating back to previous (failed) government-backed efforts such as X.400 email, EEMA now calls itself the European Forum for Electronic Business.
Peter Judge reported from the RSA Conference in Paris.