Security Watch: The Year of Public Key Security

SAN MATEO (04/10/2000) - You can't throw a rock nowadays without hitting some pundit who has his or her own practiced rant about the necessity of security in sustaining the bull run of e-commerce. Oftentimes, that rock also hits outspoken members of the security community who have their own visions on how to build a universal paradigm for network security.

At least we agree on the components: The elegant simplicity of public key cryptography will form the core mechanism for delivering confidentiality, authentication, integrity, and nonrepudiation, whatever the outcome of this high-stakes sweepstakes. Now that much of the legal hassle that helped inhibit widespread adoption of public key technologies has largely evaporated, will the best model for using public key crypto finally emerge? In this column, we examine commentary from the past and present in an effort to predict the future of secure e-commerce.

Back in the distant past (circa 1997), Bradford Biddle published 10 questions about the necessity and nature of impending PKI (public key infrastructure) legislation (see www.acusd.edu/~biddle): Can PKI scale to the level of liability inherent in all signed transactions? What is the real import of a Certificate Practices Statement (CPS)? (See www.thawte.com/cps/contents.html for an example of a CPS.) Can an electronic entity have the same effect as a written notice? Do we really want a central, monolithic, government Certificate Authority ? Many of his questions have been answered by time and the market, but some have not. Mr. Biddle, at least, seems to have stumbled on the magic number of problems with PKI, as we see next.

Respected cryptographer Bruce Schneier and Intel's Carl Ellison recently weighed in with the theory that PKI is a figment of security vendor imaginations: Because PKI vendors have a profit motive in pushing PKI, it really doesn't do anything useful. (For their views, see www.counterpane.com/pki-risks.html.) We'll leave finding the flaw in this argument to the reader.

Of course, Schneier and Ellison raise the obvious point among their 10 risks: A certificate does not adequately bind a public key to a flesh-and-blood human being. A corollary of this argument is that the vast majority of humans are too stupid to understand the implications of a private key. But what do we have today? I sign credit card receipts with handwriting that could be imitated by any 12-year-old who reads my credit card number from the carbon in the wastebasket.

So are the PKI vendors evil simply because they want to ensure that I authorized my signature? I don't think so. The real problem here is that the stool upon which our economy rests has three legs: who, what, and when. These are the components of a contract -- called a transaction in today's time-warped dot-com lingo. PKI vendors have actually offered a much better solution to one of the legs (namely "who") than what we currently have. Unfortunately, they say nothing about "what" and "when." These are the real problems Schneier and Ellison are complaining about. If I lost my private key, when did I lose it?

Can I deny every transaction I have ever made? Can the content of some transactions be verified by other means to repudiate falsified receipts?

Schneier wrote a book on cryptography; he should know the answers to these questions are readily available using well-known techniques.

The real problem not being addressed by anyone is ultimate trust. Whom do you trust? What is trusted in your e-commerce or IT environment? Can you think of anything that is truly rock solid and as predictable as the tides? Proponents of biometrics say they have an answer; perhaps that answer is too good. We also want a degree of anonymity in our online transactions. And biometrics are not impossible to spoof. Furthermore, can you trust only one entity, or will you require cross-certification by many? E-commerce goes on with the PKI that exists today, and may very well survive the millennium this way, despite all the questions and risks. What do you think? Send messages (signed or not) to security_watch@infoworld.com.

Stuart McClure is president and CTO and Joel Scambray is a managing principal at Foundstone (www.foundstone.com).

Join the newsletter!

Error: Please check your email address.

More about Bull RunCounterpaneFoundstoneIntelThawte

Show Comments

Market Place