Public Key Infrastructure 1998 – 2012

Sunday, March 25, 2012

Ben Rothke


For much of the early part of the previous decade, PKI (Public Key Infrastructure) was all the rage. 

Strictly defined, PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. 

Loosely defined, it’s a monstrosity.

For a number of years, Gartner proclaimed that it would be the year of PKI.  That year seemingly never came, and for most people, they are still waiting.

But as long ago as 2002, many proclaimed PKI was dead; very dead. Scott Berinato in fact wrote in Only Mostly Dead that “PKI is dead, mercifully. PKI arrived as a gimpy pony in the first place, and by now we are pretty tired of beating a dead horse.”

I spent some time in the world of PKI as an employee of Baltimore Technologies in 2000-2001.  At the height of the PKI boom, Baltimore was a FTSE 100 firm with thousands of employees and a market capitalization of over US $13 billion. 

After myriad acquisitions and fire sales, Baltimore was finally acquired by Oryx International Growth Fund in July 2006 and has a scant 12 employees.

So why is PKI dead in 2012? Frist, let’s step back to 1998 when PKI history was made when President Bill Clinton and Ireland's Prime Minister Bertie Ahern digitally signed an inter-governmental communique using PKI security technology.

While the ceremony was heavy with music and a cheering audience; the security savvy individual can watch the video with incredulousness as Clinton observes Ahern enter his passcode, and then each exchanged smart cards with their private keys, violating the very foundation of PKI security. 

Perhaps that was the downfall of each of the men and PKI itself.  Later in 1998, Clinton would be impeached.  Just recently, Ahern announced his resignation from the Fianna Fail Republican Party rather than be expelled over an investigation into secret payments he received while in office.

Ironically, this was the culmination of a 15-year investigation organized by Ahern's own government into bribery and corruption in Irish political life.  So at the time of the PKI video, each of the key holders was engaged in their own illegal activities.

PKI was and still is a powerful set of technologies.  But it was a solution far ahead of its time.  It was doomed by a lack of standards, interoperability issues, deployment complexities, a level of complication that confounded even technologically competent end-users and more.

So perhaps it is Mr. Ahern’s indictment that is the final death blow on the once mighty PKI.  Unless of course Gartner resurrects it as one of the hot technologies of 2Q2012.


Ben Rothke is an information security manager and the author of Computer Security: 20 Things Every Employee Should Know.

Possibly Related Articles:
Information Security
Encryption PKI Information Technology Cryptography Information Security Infosec Security Solution Data Protection Public Key Infrastructure
Post Rating I Like this!
Brian Christie I guess nobody has told our military that PKI is dead... they are using it every day for unclassified email and various website access permissions.

Isn't SSL based on PKI too? All of our HTTPS websites depend on PKI for protection.

I don't understand how anybody can say PKI is dead. Everybody uses it even if they don't realize it.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.