Is PKI Secure Enough?

If e-commerce is a hot subject, then so is public key infrastructure (PKI). But what value does PKI really have? If you ask some experts, the answer is little value if any, and the cited reasons are many. I recently read an article, "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure," by Carl Ellison and Bruce Schneier. Ellison is a senior security architect for Intel, and Schneier is founder of Counterpane Internet Security and author of "Applied Cryptography," the Blowfish and Twofish encryption algorithms, and other published material. In the article, the men address the question of whether PKI is really needed for e-commerce.

Ellison and Schneier remind us that e-commerce doesn't need PKI because e-commerce is already flourishing, with online vendors everywhere taking orders that lack a PKI-based certificate. On the other hand, Ellison and Schneier suggest that PKI does, in fact, need e-commerce to flourish; without it, PKI is a dead market.

To support those allegations, the authors discuss ten risks associated with PKI. To summarize, Ellison and Schneier point out that no mechanism exists to determine who used a given key, and certificate common names don't offer an easy way to identify the certificate owner. The authors present a long list of items related to how certificate information is mishandled during and after key generation and point out that when it comes to information security, people generally misunderstand the word trust.

Ellison and Schneier make some great points when suggesting that PKI technology is short-sighted on security and long-sighted on profit making. Although the article offers no thoughts about replacements for PKI, it did shoot down the entire idea of single sign-on (SSO) technology, citing PKI as the culprit behind SSO popularity. Ellison and Schneier think that if it weren't for marketing hype and the mad rush toward e-commerce, people would realize just how insecure PKI technology is.

Take some time to read their article, and let me know what you think. I'm also interested in whether your company depends on PKI for some amount of security? If so, how do you use it? If not, is it a consideration for future e-commerce or SSO projects? Does the article by Ellison and Schneier change your opinion? Stop by our home page and take the latest survey, or send me your thoughts by email. I'm anxious to know what you think. Until next time, have a great week.