• United States



Only Mostly Dead

May 23, 20024 mins
CSO and CISOData and Information Security

PKI is dead. Mercifully. PKI arrived as a gimpy pony in the first place, and by now we are pretty tired of beating a dead horse.

If you think it seems naive to summarily dismiss an entire platform, I would agree. Writing its obit wasn’t my idea. It was inspired by a leading PKI vendor.

Before we get to that, let’s step back. As complex as Public Key Infrastructure is, the theory is sound. Crudely, it’s customs for Internet transactions. The “passports” are digital certificates. A trusted third party, a Certificate Authority, publishes half of that passport as a public key. You keep the other half, the private key. To make a transaction, match the private and public keys. When it works, PKI really works.

It’s just that it rarely works. “Experts say the promise of PKI is real but that challenges remain.” This was from a news item last week, but it might as well have been from 1997. The truth is, PKI is terminally promising. Every year since 1997 has been the “year of PKI.” It has been called a “silver bullet” and a “guarantee” for secure online commerce. In 1997 it was called “high-tech bug spray” to stop “viral warfare.” When that didn’t work, it became the safest way to shop online in 1999. When that didn’t work, it became perfect for the wireless market in 2000. PKI is always just about to revolutionize electronic transactions somewhere.

It never does. For two reasons.

First, vendors, in typically greedy fashion, refused to create standards, so that as recently as last week, an engineer was wondering why one vendor’s digital certificates crashed another vendor’s e-mail program. Second, vendors, in typically greedy fashion, skewed the business model for PKI to generate large chunks of revenue up front, before the systems even worked, by making CIOs buy stockpiles of digital certificatessomething like a camera company making you buy 1,000 rolls of film before you get a camera.

So while the concept behind PKI was appealing, everything else about it was shoddy. Vendors approached PKI arrogantly and CIOs approached it ignorantly. This worked during the bubble years because everyone could afford their respective approach. PKI was the prototypical Internet boom technology.

Then the boom ended. CIOs sudden necessity to think before they spent meant PKI went from a weak blip on radar screens to no blip at all. The spending crash didn’t just humble PKI vendors, it humiliated them. They reported massive losses and layoffs. They couldn’t sell a cup of coffee, let alone a technology platform that was so complex you needed a glossary to navigate its arcana.

Entrust is the PKI vendor that suggested PKI has gone flatline, when they visited us here at CIO. This doesn’t mean Entrust is going away, or that the company doesn’t have a a viable business. What the executives meant was that the business model has changed so radically for digital certificates thatwhile some of the backend technology remains the samethe term PKI is no longer useful. And marketing PKI as a concept doesn’t work. So don’t go looking for the PKI TLA (three-letter acronym) on its Web page. And don’t ask about Entrust’s PKI products. Entrust deliberately eliminated the term about a year ago, when the company was forced to reinvent itself.

Normally, I don’t trust vendors when they come here talking about renaissances, and I’m still not convinced about Entrust’s latest reform. Repositioning usually equals desperation. So I’m staying bearish on PKI, or whatever the vendors call it now.

Nonetheless Entrust has made some deft choices post-boom. It stopped trying to land enterprisewide PKI deployments and now focuses on smaller projects in vertical markets. In other words, the company has foregone huge-revenue projects with a high chance of failure for modest-revenue projects with a lower chance of failure.

Even more impressive, Entrust hired Ed Pillman as a senior vice president. Pillman used to be the CIO of Nortel Networks (the company Entrust was spun out from). In other words, PKI’s target customer. It’s clear Entrust’s reinvention has a lot to do with Pillmans telling executives ugly truths about why he wouldn’t touch PKI as a customer. You get the sense Pillman enjoyed forcing medicine down their throats. To their credit, Entrust executives accepted it.

And now, Entrust is growing. It has more customers than ever, and last quarter the company lost 5 cents per share, compared to a loss of 35 cents per share a year ago.

Which means PKI is still dead, but maybe not quite as dead as before. Imagine if they had asked a CIO, you know, one of their customers, how to make PKI work a long time ago.