[LINK] Commercial PKI model [was: Electronic witnessing ...]
swilson at lockstep.com.au
Fri Jul 30 15:22:35 AEST 2010
Pilcher, Fred wrote:
> IMIO (the second I standing for "ignorant") the commercial PKI model
> seems to be the archetypal house of cards, with multiple potential
> points of failure. It's always seemed to me that the "web of trust"
> model is much more robust and more trustworthy.
IMIO -- the second I standing for "informed" ;-) -- the commercial PKI
model was always doomed to fail, and fail it has. But it frustrates me
that "PKI" as a concept has been cemented in peoples' minds in its
original utopian form.
Briefly, orthodox PKI (aka the "Big CA") failed because it purported to
solve the problem of "trust" or more specifically stranger-to-stranger
e-business by aiming for a one-size-fits-all electronic passport. The
passport metaphor was all wrong. In actual business, we don't deal with
people on the basis of their personal identity, and the "trust" we have
in a transaction is not simply proportional to the "strength" of the
personal identity. Simple illustration: I 'trust' my doctor more than
most people I deal with, but I know very little about their personal
Further to the mataphor, the passport idea was deeply misleading at
another level: it's not universal. My passport actually does not grant
me automatic access to any old country. I need a visa for many places,
and visas are issued country-by-country according to local rules. So
there is no global "trust model" today. The PKI ideal was utopian,
"Serious" stranger-to-stranger e-business is rare, perhaps
non-existant. We almost always transact with people on the basis of
some special credential they have which authorises them in a specific
context. And those credentials come from a diverse range of established
authorities each operating under its own codification. So, personal
identity matters little, different transactions need different
credentials, and no one "trusted third party" could ever replace the
multitude of existing authorities which preside over healthcare,
government, banking, accounting, trade, etc etc.
There are more modern PKI formulations that seek to preserve extant
authority structures, by issuing application specific digital
certificates, under local registration rules, in order to represent
users' specific credentials, and not their personal identities.
Phone +61 (0)414 488 851
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
More information about the Link