Where is PKI going?

MerchantSelect.Com speaks with Dirk Vieira, Senior Information Specialist with EDS, about digital signatures and PKI technology. Mr. Vieira provides interesting insight into the challenges, opportunities and future of this complex yet exciting technology.

MerchantSelect: Why is PKI adoption so slow?

Dirk: I believe the main reason for the slow adoption of PKI is the cost. PKI unlike other technologies require a higher investment for ongoing operations. For most other technologies, the infrastructure investment is for software, servers, and ongoing operations. However, for PKI, it also includes the cost of performing the registration process. So, on top of the “millions” required to implement the PKI, there is the cost to develop the registration processes, and to operate and maintain them. This cost has also made it prohibitive for adopting multiple registration processes, which in many cases is required from a service perspective, since different business scenarios usually require a different process or assurance level for the use of digital certificates.

The next major reason is the incompatibility of PKI products from different vendors. Many of the PKI vendors have their own interpretation of the standards, such as X.509, and as a result, there are nuances between the different implementations. There has been some work done to bridge this gap by two of the major vendors, but it is unclear what “fruits of their labour” have been borne of this effort. This has made cross-certification a challenge in many environments, and has been a factor in the adoption of PKI, since from a business perspective, if a choice of one vendor is made, there is the potential that an organization may end up being a “PKI island”, without any means to use the technology beyond “its walls” to conduct trusted electronic business with it’s clients, suppliers and partners. Another factor is the maturity of the peripheral products required to use PKI effectively. In many cases the capabilities of the software is not at the same level of functionality of other “new” technologies, such as web services.

The impact on processing is less of an issue, because of the processing capabilities of computer systems today. Most high-end systems are very scalable “up” and “out”. This becomes a consideration for very high volume transactional applications, but there are mechanisms, such as the use of encryption accelerators and HSMs that can be used to mitigate this to some extent.

Legislation over the last few years has improved immensely. Many “developed” countries have laws dealing with privacy and digital signatures, which address many of the issues. However there are some issues that have not been solved yet, and governments and legislation will be key to the solution. One of these issues is with regards to the possession of multiple certificates, and the management of them. In other words, if an individual is issued certificates from multiple sources, there is not an easy mechanism for them to choose which certificate to use for a specific transaction or function. And because of political, jurisdictional, and liability constraints, as well as because of “cross certification” issues, it is difficult at this time to believe that one digital certificate could be used across multiple organizational entities.

MerchantSelect: What will encourage adoption?

Dirk: The problem with PKI is that it is expensive to develop the technology; therefore vendors have priced their products to recover investments, and to generate profits. This results in higher prices, which is part of the reason for the slow adoption of the technology. Businesses need to balance the investment or purchase, with the return on this investment. This ROI is still unclear, thus making the financial benefits of adoption unclear. Adoption of PKI can be encouraged through the reduction of implementation costs, which not only includes the cost of licensing of certificates, but also the cost of implementing the required registration processes. In many implementations, custom software is developed to manage this process, or bulk load files are FTPd to be imported into the Certificate Authority. Commercial-Off-The-Shelf software that can effectively fill this gap, reducing implementation and operations costs will be a factor in increasing the viability of PKI.

MerchantSelect: What is/will be the benefits for merchants, banks and consumers?

Dirk: I believe governments should be added to this list. The main benefit for PKI is the integrity it brings to the authentication process. It provides a mechanism that in effect can promote trust between entities, whether they are governments, merchants, banks or consumers. A merchant or bank can ensure the validity of transactions and the identity of the individual that performed the transaction. Governments and consumers will be more interested in the encryption capabilities, and the use of it to protect sensitive information while it travels across the network, and in storage.

MerchantSelect: Where do you think the future of digital signatures is going?

Dirk: I believe digital signatures will become as common as it is now to physically sign our own signature. In saying that however, a caveat is that we are a long way from this. To achieve this, devices to store certificates and keys will have to become as common place as pens are. As well devices or software will have to become much more tightly integrated with systems and applications that will be required to have electronic documents, transactions or information digitally signed. One scenario could be computers or kiosks with card readers for smart cards, which will allow the digital signing of electronic forms. Another scenario may be devices that create a mark on paper, much like a bar code, with information that equates to a digital signature (ie. created with the use of an individuals private signing keys), or with information to facilitate easier retrieval or validation of digital signature credentials.

MerchantSelect: Are digital signatures likely to be adopted by merchants? In what industries will they be most used?

Dirk: Merchants will very likely adopt the use of digital signatures, more for online electronic transactions, than for “over the counter” retail type transactions. Digital signature legislation, and the liabilities assumes by different parties will be key to this adoption.

If I had to rank the order for industries in which PKI is being, and will continue to be adopted, I would suggest:

· Government – will be key to the development of e-government initiatives that will provide more services to citizens at a lower cost to government.

· Healthcare – will be an important component for the protection of information through encryption, access control, and the non-repudiation of transactions. This adoption will be fuelled by the HIPAA legislation in the U.S.A.

· Financial – will be adopted for the non-repudiation of online financial and banking transactions, such as funds transfer or stock purchases.

There will be adoption of PKI in other industries, such as manufacturing, but the three mentioned will in general be the first adopters, and the largest adopters.