[LINK] Commercial PKI model [was: Electronic witnessing ...]

[Stephen Wilson]

Pilcher, Fred wrote:
> IMIO (the second I standing for "ignorant") the commercial PKI model
> seems to be the archetypal house of cards, with multiple potential
> points of failure. It's always seemed to me that the "web of trust"
> model is much more robust and more trustworthy.
IMIO -- the second I standing for "informed" ;-) -- the commercial PKI 
model was always doomed to fail, and fail it has.  But it frustrates me 
that "PKI" as a concept has been cemented in peoples' minds in its 
original utopian form.

Briefly, orthodox PKI (aka the "Big CA") failed because it purported to 
solve the problem of "trust" or more specifically stranger-to-stranger 
e-business by aiming for a one-size-fits-all electronic passport.  The 
passport metaphor was all wrong.  In actual business, we don't deal with 
people on the basis of their personal identity, and the "trust" we have 
in a transaction is not simply proportional to the "strength" of the 
personal identity.  Simple illustration: I 'trust' my doctor more than 
most people I deal with, but I know very little about their personal 
identity.

Further to the mataphor, the passport idea was deeply misleading at 
another level: it's not universal.  My passport actually does not grant 
me automatic access to any old country.  I need a visa for many places, 
and visas are issued country-by-country according to local rules.  So 
there is no global "trust model" today.  The PKI ideal was utopian, 
un-real.

"Serious" stranger-to-stranger e-business is rare, perhaps 
non-existant.  We almost always transact with people on the basis of 
some special credential they have which authorises them in a specific 
context.  And those credentials come from a diverse range of established 
authorities each operating under its own codification.  So, personal 
identity matters little, different transactions need different 
credentials, and no one "trusted third party" could ever replace the 
multitude of existing authorities which preside over healthcare, 
government, banking, accounting, trade, etc etc.

There are more modern PKI formulations that seek to preserve extant 
authority structures, by issuing application specific digital 
certificates, under local registration rules, in order to represent 
users' specific credentials, and not their personal identities.

Cheers,

Steve.

Lockstep Group

Phone +61 (0)414 488 851

www.lockstep.com.au <http://www.lockstep.com.au>
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.  Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.