Backbone - Global PKI mechanism a long way off

SECURITY: There is general agreement that a global method of electronic ID via Public Key Infrastructure is necessary. But, as a recent conference brought to light, it doesn't appear that will happen soon.

Although Public Key Infrastructure (PKI) technology was a hot topiconic ID via Public Key Infrastructure is necessary. But, as a recent conference brought to light, it doesn't appear that will happen soon. at the RSA Data Security Conference in San Jose last month, the likelihood that a global PKI mechanism will emerge appears to be more remote than ever.

But many believe there should be just one global PKI effort, so that everyone could be identified by a single digital certificate issued by a universally trusted body.

Digital certificates, which are issued, managed or retracted by a Certification Authority (CA) using a PKI mechanism, are an important component of public and private key encryption schemes.

A certificate connects an individual to their public key, uniquely identifies them and enables other individuals to retrieve that key.

Customers can also use the key to encrypt e-mail messages so that only the intended addressee can decrypt it with their private key.

Certificates likewise enable individuals to prove their identity online, for example when logging onto a corporate extranet or when buying goods over the internet, which means they are a key enabler for e-commerce.

On the downside, certificates are only as trustworthy as the CA that issued them, and no global PKI mechanism has yet emerged.

Instead, many companies are offering digital certificates over the internet, while some enterprises are building their own internal PKIs with software from Entrust, VeriSign, Netscape or a fast-growing list of other providers.

A number of CAs, such as VeriSign and Entrust, are also attempting to build global networks.

VeriSign has established the VeriSign Trust Network, a network of interoperable CAs and, at the RSA Data Security show, Entrust announced a similar scheme - Entrust Worldwide. Members commit to certain business practices and procedures so it is easier for participating CAs to cross-certify their products - which means, in practice, accepting other CAs' certificates.

There has been some progress towards creating a PKI standard, and the X.509 digital certificate specification is now almost universally accepted.

The Internet Engineering Task Force (IETF) is also working on a PKIX standard to define interoperability between PKI mechanisms, which will make it easier for CAs to cross-certify their offerings - though this still requires some level of trust between the participants.

Establishing trust may not be so easy. "VeriSign hates Entrust, and Entrust hates VeriSign," revealed one executive with an encryption company.

But Stephen Kent, GTE CyberTrust's chief technology officer and chairman of the IETF working group defining PKIX, said: "I don't believe there will be a global PKI. I think there will be a number of PKIs."

There will be separate IDs for different occasions, in the same way as people have several different forms of ID.

As to establishing a global PKI mechanism, Kent believes two approaches are possible. One approach is to establish trust between different CAs, which is not the easiest or best solution, he said.

The other approach is to change the basis on which certificates are issued and trusted. "Real-world institutions ought to be the Certification Authorities, at least nominally," Kent argued. "I am an employee of GTE, so my certificate should be issued by GTE."

He added that corporations are best-placed to know whether their own employees are who they say they are.