Public Key Infrastructure analysis – PKI in the sky

Public Key Infrastructure has always been pitched as the essential cornerstone to e-business security, yet somehow the technology has failed to take off. On the surface this seems odd since the main purpose of PKI technology is to provide organisations with a secure method of exchanging sensitive data over internal or external networks – a badly needed facility in any kind of e-commerce development. PKI can even be integrated with ERP packages, centralising user access rights to large multi-site systems. In fact, it is described as the ultimate security solution to any online activity that would require a handwritten signature in the real world.

Given all of these facts, PKI should now be flourishing, yet nothing could be further from the truth. Early signs of technical difficulties with the technology started to hit the press at around this time last year, culminating in a poignant Ovum report entitled The myth of PKI interoperability.

In it, the technology is attacked for its inability to conform to universal standards. One of the myths of the e-services world, says the report cynically, is that PKI products from different suppliers are expected to work by clicking your heels together three times.

Unfortunately, we are not in Wonderland and the problems with PKI will take much more solving than this. At the core of PKI technology is the ability to encrypt and decrypt messages using public and private keys.

The public key used to encrypt messages can be published to a broad audience while the private decryption key is kept safe by the user and can only be used to decrypt messages which have been encrypted using your public key. Certificate authorities such as Baltimore Technologies or Verisign are responsible for the control and generation of keys in the form of digital certificates.

However, different PKI vendors have based their certification systems on different standards so when an organisation attempts to exchange data with multiple suppliers or partners huge compatibility problems arise.

Other shortcomings in the technology have also become apparent, including issues around authenticity. The very nature of public key technology requires that individual users must keep a secret private key, the operation of which is usually protected by a simple PIN – not the most watertight security method, particularly in open-plan offices.

Technical issues aside, there are also doubts surrounding the business benefits of the technology. The complexity and cost of implementation has led many firms to keep plans for PKI on hold while other organisations, such as the National Society for the Prevention of Cruelty to Children, have chosen to protect sensitive data using traditional username and password methods. Only a small number of implementations exist to date, mostly in the financial sector. Lloyds TSB, for example, announced plans for a PKI implementation earlier this year.

A lack of ready-made implementations demonstrating a return on investment exacerbates the problem. Various industry bodies and government-led initiatives have attempted to address incompatibility issues, most notably the PKI Forum ( and the US Federal PKI Steering Committee (, and although some progress has been made, there is still little movement in the marketplace. In fact the only movement going on right now is backwards.

Just one week after leading PKI vendor Baltimore Technologies announced job cuts, online security company Detica published yet another negative report on the Internet security market. Just 3% of FTSE 500 firms, it said, are using PKI technology.

The same report claims 71% of IT managers would consider using PKI in the future – a glimmer of hope for security vendors. Long-term forecasts are even more promising, particularly from research firm IDC, which postulates that the increasing pressure to develop B2B applications will push firms inevitably towards more stringent security methods. The PKI software market in Western Europe, it says, will almost triple by 2004.

This year should have been the year of PKI. It seemed obvious that firms with pervasive and vulnerable networks would buy into IT security – but they did not. Much of the information available on the subject of PKI is provided by the security vendors themselves, who insist that their technology is desperately needed if e-commerce is to flourish. This is questionable since it seems to be flourishing quite happily without PKI.

Plenty of Internet sites are happy to take your order without the use of PKI security. There is, however, a related premise which is hard to deny – that PKI vendors need e-commerce in order to flourish.

Eleanor Turton-Hill is a freelance journalist KEY MOVES: SAFE IN THE KNOWLEDGE

– Leading Internet security firm Baltimore Technologies recently slashed its workforce in half following poor financial results. Radical restructuring plans were also announced including the sale of the newly acquired e-mail security firm Content Technologies. This ill-advised acquisition, combined with intense competition from other PKI vendors, contributed to the company’s poor performance.

– The Inland Revenue postponed its plans to use PKI earlier this year claiming that too many businesses are unable to handle the technology. The Revenue is currently relying on a traditional ID and password system.

– Legislation has been passed by the US Government and the European Commission which gives digital certificates the same legal status as hand-written ones. Unfortunately, the law is still hampered by problems with non-repudiation. Legally it is possible to revoke a transaction sealed by a digital certificate.

– The National Society for the Prevention of Cruelty to Children has rejected PKI technology for the protection of children’s case notes in favour of a secure website. The conventional username and password combination was preferred after the charity’s IT department deemed PKI too difficult to set up and manage for such a disparate workforce.

– A consortium of banks is trialling PKI technology for the lucrative B2B market. Project Eleanor aims to simplify high-value electronic payments between businesses.

Related reading

aidan-brennan kpmg