December 09, 2004

PKI's mission: sell certs or die in the attempt!

Back in the early 90s, some Bright Spark had the idea that if a certificate authority could sign a certificate, and this certificate could be used to secure logins, payments, emails and ... well, everything, then obviously everyone would want one. And everyone was a lot of people, even back in the days before mainstream Internet.

There was a slight problem, though. The certificate wasn't really the only way to do things. In fact, it was one of the poorer ways to do things, because of that pesky complexity argument. But this didn't present an unsurmountable challenge to our Mr. B.S., as crypto and security are devilish complex things, *however* you do them.

All that was needed was a threat to hang the hat of certificate security on, and the rest could be written into history. This bogeyman turned out to be the wicked thief of credit cards, who would conduct a thing of great evil called a Man-In-The-Middle attack on poor innocent Internet consumers. This threat (cut to images of virginal shoppers tied to the rails before the oncoming train of rapacious gangsters) made the whole lot hang together, cohesively enough to fool all but the most skeptical security experts.

And so PKI was born. Public Key Infrastructure involved lots of crypto, lots of complexity, lots of software, and of course, oodles and oodles of certs, all for sale. Boom! Literally, at least in stock market terms, as certificate sellers went through the Internet IPO roof.

Their mission was to sell certs or die in the attempt, and they did. By the end of the dotcom boom, all but one of them were smoking carcasses. The one that survived cleverly used its stock market money to buy some businesses with real cash flow. But even it danced with stock prices that were 1-2% of its peak. Now it's up in the 10% range.

Unfortunately, even though the PKI companies died exotic and flashy deaths, the mission did not. Now, one insider has crawled out from the ashes to write an anonymous article that isn't exactly waving a white flag. As he reveals his inner dreams, it's stunning to realise that this insider *still* believes that PKI can do it, even when he admits that the mission was to sell certs. How pervasive a marketing myth is that?

Anyways, here's the link. For those students of Internet security, you be the judge: how much of the following makes sense when you consider their mission was to sell certs? How much of it makes sense if you take away that mission?

Revenge of the PKI Nerds

Wherein a very patient CSO hatches a plan to revive a technology thought to be dead


I recently noticed a curious phenomenon. Public Key Infrastructure, once rumored to be dead, is making a comeback. Several high-profile institutions are now deploying a technology that I assumed had been extinct since the dot-bomb era. It's sort of technology's version of the coelacanth. This was a fish that was assumed to have been extinct for hundreds of thousands of years and then-bam!-one turns up in a fisherman's net off the coast of Madagascar.

I admit I have a certain fondness for Public Key Infrastructure, or PKI as it is commonly known-at least that is the three-letter version. PKI is commonly described using choice four-letter words as well. That's because it came into favor-and just as ingloriously fell out of it-with the boom of the '90s.

I should know, because I cut my security teeth on the bleeding edge of PKI. In 1992, I took a position as the director of electronic commerce with a company that sought to deploy a global certificate authority (CA) that would issue the digital certificates used to process PKI. Under our plan, all other CAs would be subordinate to us, and we would sit atop a giant pyramid scheme raking in monopoly profits by charging pennies on all the billions of e-commerce transactions around the world.

The only problem was that other PKI companies were busy scheming with their own plans to take over the e-commerce world. While we were plotting against each other, we forgot to actually deploy the technology. After a few years of hand waving, PowerPoint presentations and whiteboard discussions, investors began demanding that we start earning our keep by making a profit. Silly realists!


Posted by iang at December 9, 2004 04:59 PM | TrackBack

Here's another area where I'm out of step with the cool security dudes. I think it makes a lot of sense for people to own and use public keys in their online activities. I fully agree that using user name and password to log in is stupid, and in my experience secureid is a pain to use.

PKI means different things to different people. To me, it means the necessary infrastructure (that's the I) to support the widespread use of public key (the PK) cryptography. From this perspective, there's nothing to be afraid of in PKI. The connotations most people have, that it means Verisign shaking you down for three hundred bucks a year for a cert, is far too narrow. PGP web of trust is a PKI. There are many other ways of setting up a PKI.

The main problem is that the narrow business interests are of course only looking for ways to proceed that are profitable. So we should look to hobbyists and open source groups to spread a real PKI. But largely because of the anti-PKI activism from the grass roots security commmunity, there are few efforts along these lines, and what there are don't have widespread support.

There is a whole world of cryptographic technology waiting to be developed and implemented. Credential systems, fancy kinds of signatures, new protocols; but all rely, at the bottom, on some form of public key cryptography. Without a widespread infrastructure for supporting PKC, these more advanced systems can't get off the ground.

I wish people would take off the blinders when thinking about PKI and see that there is more to it than the narrow business efforts of the past. Cryptographers in particular should support the use of PKC and the PKI which enables it. That is the only way forward for our field to achieve its potential in terms of bringing value to society.

Posted by: Cypherpunk at December 9, 2004 06:44 PM


only one reply to the comments made to this lament:

trusted devices

and open again is pandorra's box.



Posted by: Twan at December 9, 2004 06:55 PM

What is really sad is the amount of time and effort that went into legislating Certificate Authorities and the ability of States and Federal governments to see a chance to tax the dam thing before they even made a profit. Now the Certificate Authority laws will lay on the books for years until they decide they can enforce them or even understand the full scope of it. Yes another moustache cup law waitng to be dropped on the innocent.

Posted by: Jimbo at December 9, 2004 07:56 PM

What does PKI refer to? Well, sure, as a bunch of initials it means the infrastructure behind PK. And it would be nice if that was a useful definition, because we could all get on and build them.

But, pragmatically, the "infrastructure" needs for a PGP style PKI are so lightweight, in comparison with the x.509 cousin, that one doubts that they are the same thing. This doesn't mean lightweight is weakling; far from it, and I can attest to the fact that a PGP style infrastructure is far stronger and far more complete than an x.509 infrastructure can dream of being (being able to do dual sigs makes a world of difference). But, it remains that they are two very different things, and therefore we need two words.

And, then, in the marketplace, when companies say PKI they mean one and only one thing. They mean the x.509 / CA / centralised hierarchical architecture thing that burst into flight then orbit in the 90s, only to fall like a meteor and burn up on re-entry. I have a PKI requirements doc on my desk right now. It literally admits no concept other than the x.509 centralised design.

So when it comes to definitions of the word, I feel it is something to shrug ones shoulders at. PKI is an x.509 / CA / hierarchical beast. PGP is something different. That's just me. I'll change my mind the day the consultants start selling PKIs with a choice of x.509 and WOT.

Cypherpunk, I believe you're totally correct in that the future is with the "open" side. But, the direction is not going to come from PKI (of either form) but from your own earlier comment that it is safe to say these things as a nym! Nyms are the future. Mark these words; another prediction that might get proven wrong ;-)

Posted by: Iang at December 9, 2004 08:37 PM

If you look at Ellison & Schneier's paper Ten Risks of PKI, you'll see that many of the risks apply to any infrastructure for public keys.

Risk #1: "Who do we trust, and for what?"

That's a big problem with the PGP web of trust, reputation systems, and other decentralized attempts to create a PKI. It's not just about CAs and X.509.

Risk #2: "Who is using my key?"

Who controls your key? How do you protect it? Again, a problem that goes beyond CAs.

Risk #3: "How secure is the verifying computer?"

A problem any time you're relying on someone else's signature, whether a CA, a PGP web of trust key signer, or just a digitally signed message or contract.

Risk #4: "Which John Robinson is he?"

Again a problem with any identity based key management system, not just X.509 CAs.

Etc., etc. This is a really bad paper (I saw you wrote a critique of it too) partially because it fails to distinguish between the commercial-CA-X.509 flavor of PKI, and the more general issues which arise with any attempt at wide scale use of public keys to do something practical. But it does show how there is confusion between the various uses of the term.

Posted by: Cypherpunk at December 10, 2004 03:31 PM

It depends on the definition we agree on, and the assumptions we set for ourselves !

If you look at all four of those risks you will see that they all assume that there is a strong link between a key and a human. Something like "this key is owned by this human." Or it might be the other way around, sometimes I wonder.

If we don't assume this, then all four of those risks are non-risks. In fact, OpenPGP and its web of trust do *not* assume this; there is a UserId field which is totally open. Custom suggests an email format, but it's not slavishly followed.

If instead we look at x.509, as a format it assumes the identity. One person, one key. The CA assumes a key; one individual, one set of documents. As an approximation, we can assume that most identity based key management systems are based on x.509 and CAs. So if identity based key management systems are what you call PKIs, then sure, we can agree on that.

But the really interesting stuff is happening out there were keys are not pre-ordained as belonging one-for-one with humans. We can pretty much stab around the whole SSL browsing PKI and say that the reason it failed was "one person, one key." If the systems, implementors, CAs, analysts and investors hadn't been so fixated on that (and selling those one persons their one keys), we would have every browser with a cert and every mailer with several by now, and the net would be a whole lot safer.

Oh, and a lot more certs would have been sold, but that's of no interest.

Posted by: Iang at December 10, 2004 07:36 PM

I don't know why people are determined to try to turn (decent) product markets into (failed) service markets. Selling CAs seems like it has fewer problems that selling certs, but they were determined to sell certs. Likewise, all the money in Wi-Fi is in the equipment, not the hotspot service providers, despite many headlines to the contrary.

BTW, Apple is integrating X.509 into OS X effectively for free. I'm not sure why; maybe because you can't sign email with Kerberos?

Posted by: Wes Felter at December 13, 2004 07:39 PM

hi Wes,

I guess the reason to use x.509 anywhere is that there is a large installed base of mailers that can understand it; why not try and use them?

The reason for using x.509 for free should be self-evident. What I have yet to find a satisfactory answer to is why you would insist on not using them for free?


Posted by: Iang at December 14, 2004 09:33 AM