[LINK] What's changed in PKI? [was: Electronic witnessing ...]

Stephen Wilson swilson at lockstep.com.au
Fri Jul 30 17:04:30 AEST 2010

Roger Clarke wrote:
> At 10:40 +1000 30/7/10, Kim Holburn wrote:
>> 1. That if anyone else knows your private key it isn't private anymore
>> (suddenly and possibly unknowably from that point on).
>> 2. How to verify it's really you (which is complex enough and just as
>> important). ...
> Ah, memories of things done a decade back:
> http://www.rogerclarke.com/II/ECIS2001.html
> Has anything actually changed since then, Stephen?
Thanks Roger,

Yes, heaps has changed.  The main thing, as I espoused earlier today, is 
that "PKI" has separated into multiple, domain specific credential (not 
personal identity) management systems.  So some of the biggest PKIs in 
the world now are embedded and invisible; e.g. Skype, cable TV set-top 
boxes, and EMV smart payment cards.  There are a few overt PKIs, where 
the operators have chosen to make the keys and certificates visible as 
such, like the Danish and Taiwanese government PKIs where citizens have 
smartcards that are used for transacting online. 
> Do any RAs actually perform effective authentication of either humans 
> or corporations?  (Or, even more difficult, government agencies).
RAs working with general purpose "Big CAs" have fallen away.  As others 
have pointed out, entrusting a third party to conduct identity proofing 
of strangers, so that they can use digital certificates (to transact 
with other strangers) raises all sorts of security issues, and creates 
concentrated points of failure. 

The more modern PKI approach is to delegate "RA" functions to bodies 
that are already entrusted to perform enrolment in defined contexts (and 
dedicate the certificates to associated applications).  So when you get 
an EMV smartcard for banking, your bank has in effect acted as an RA.  
Similarly, if we ever have a smartcard for medical professionals, it 
would be best for existing credentialling bodies to act as RAs.  I was 
involved in a pilot some years ago where Medicare's PKI "HeSA" issued 
digital certificates for small communities of interest like hospitals, 
and medical specialities, intended to be used only for select 
applications (like signing discharge summaries for a hospital where you 
work).  The idea was to carry forward to NEHTA.

Project Gatekeeper in fact supports this kind of PKI model now, for 
issuing "Relationship Certificates".

> Has anyone ever implemented a private-key protection technology that 
> can work in the wild, wild world of Internet-connected consumer 
> devices (as distinct from tightly-controlled thin clients within 
> closed networks)?
Absolutely.  The best thing to do with private keys is keep them in 
personal hardware security modules, aka smartcards and their kin.  The 
preferred form factor for digitally signing transactions using PKI keys 
and certificates in many places is now the smartcard: US Government 
"PIV" cards are used to sign e-mails in one's Blackberry.  There are 
national schemes in Taiwan, Estonia, Slovenia and Denmark.  There is a 
new wave of laptops coming with integrated smartcard readers. 

The thing about smartcards is that they hide all the details, even the 
fact that you have asymmetric keys.  Nobody needs to know the 
"mathematical and technical" principles embedded in a smartcard, just as 
nobody needs to know about electromagnetics in order to use a mag stripe 



Stephen Wilson
Managing Director
Lockstep Group

Phone +61 (0)414 488 851

www.lockstep.com.au <http://www.lockstep.com.au>
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.  Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.

More information about the Link mailing list