Should Companies Adopt PKI?

Article excerpt

Public key infrastructure (PKI), which refers to an encryption scheme, is often touted by proponents as critical to secure transmissions over the Internet. But some experts question whether it is living up to its hype.

Encryption expert Bruce Schneier, among others, questions the veracity of marketing claims being made by vendors. His concerns come on the heels of reports that PKI adoption rates are dwindling and that the buzz around PKI has had little substance.

"People think they can sprinkle magic dust on their security problems and they will go away," says Schneier on the reason the idea of commercial PKI became so popular so quickly. "Unfortunately, there's no sound bite for this. PKI is very complex, and commercial PKIs often don't do what the vendors claim they do."

PKI is based on a cryptologic system that uses a pair of keys--one private, one public--to encrypt and decrypt messages. PKIs typically consist of digital certificates, certificate authorities (CAs), and registration authorities. Digital certificates are likened to electronic passports, which are digitally signed by the user and the issuer--the certificate authority. A registration authority, which may be part of a CA, verifies the identity of the user; the CA then issues and maintains the certificate. Thus PKIs are thought to work best for authentication, network access control, and electronic commerce.

But Schneier says he's seen company after company fall prey to the hype only to find implementation an expensive and disappointing venture. Most companies, he says, were not prepared for the massive integration job required and were dissatisfied once they realized PKI could not be considered a complete security solution.

Hurwitz Group analyst Diana Kelley echoes some of Schneier's concerns, adding that there are also compatibility issues when PKIs used by different companies must interact. Although most vendors use a standard type of certificate, "there is not complete interoperability yet, which can become an issue for companies," says Kelley.

In addition, Kelley says that network performance can be affected by PKIs. For example, when employees leave the company, the corresponding certificate must be revoked, and the revoked certificate must be maintained in a database so that the former employee can never use it again. In large organizations, "these CRLs (certificate revocation lists) can get very large. …