Only Mostly Dead

RIP PKI. Why a security platform never took off

. What's this?

By

May 23, 2002CSO — PKI is dead. Mercifully. PKI arrived as a gimpy pony in the first place, and by now we are pretty tired of beating a dead horse.

If you think it seems naive to summarily dismiss an entire platform, I would agree. Writing its obit wasn't my idea. It was inspired by a leading PKI vendor.

Before we get to that, let's step back. As complex as Public Key Infrastructure is, the theory is sound. Crudely, it's customs for Internet transactions. The "passports" are digital certificates. A trusted third party, a Certificate Authority, publishes half of that passport as a public key. You keep the other half, the private key. To make a transaction, match the private and public keys. When it works, PKI really works.

It's just that it rarely works. "Experts say the promise of PKI is real but that challenges remain." This was from a news item last week, but it might as well have been from 1997. The truth is, PKI is terminally promising. Every year since 1997 has been the "year of PKI." It has been called a "silver bullet" and a "guarantee" for secure online commerce. In 1997 it was called "high-tech bug spray" to stop "viral warfare." When that didn't work, it became the safest way to shop online in 1999. When that didn't work, it became perfect for the wireless market in 2000. PKI is always just about to revolutionize electronic transactions somewhere.

It never does. For two reasons.

First, vendors, in typically greedy fashion, refused to create standards, so that as recently as last week, an engineer was wondering why one vendor's digital certificates crashed another vendor's e-mail program. Second, vendors, in typically greedy fashion, skewed the business model for PKI to generate large chunks of revenue up front, before the systems even worked, by making CIOs buy stockpiles of digital certificatessomething like a camera company making you buy 1,000 rolls of film before you get a camera.

So while the concept behind PKI was appealing, everything else about it was shoddy. Vendors approached PKI arrogantly and CIOs approached it ignorantly. This worked during the bubble years because everyone could afford their respective approach. PKI was the prototypical Internet boom technology.

Then the boom ended. CIOs sudden necessity to think before they spent meant PKI went from a weak blip on radar screens to no blip at all. The spending crash didn't just humble PKI vendors, it humiliated them. They reported massive losses and layoffs. They couldn't sell a cup of coffee, let alone a technology platform that was so complex you needed a glossary to navigate its arcana.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER