With apologies to Friedrich Nietzsche. The hero of many a crypto folk tale Bob is dead, and we have killed him.
We now know that in PKI, Alice's Relying Party is almost always a machine and not a human being. The idea that two strangers would use PKI to work out whether or not to trust one another was deeply distracting and led to the complexity that in the main stymied early PKI.
All of which might be academic except the utopian idea persists that identity frameworks can and should underpin stranger-to-stranger e-business. With NSTIC for instance I fear we are sleep walking into a repeat of Big PKI, when we could be solving a simpler problem: the robust and bilateral presentation of digital identity data in established contexts, without changing the existing relationships that cover almost all serious transactional business.
The following is an extract from a past paper of mine, "Public Key Superstructure" which was presented to the NIST IDTrust Workshop in 2008. There I examine the shortfalls and pitfalls of using signed email as a digital signature archetype.
E-mail not a killer application for PKI
A total lack of real applications would explain why e-mail became by default the most talked about PKI application. Many PKI vendors to this day continue to illustrate their services and train their users with imaginary scenarios where our heroes Alice and Bob breathlessly exchange signed e-mails. Like the passport metaphor, e-mail seems easily understood, but it manifestly has not turned out to be a ‘killer application’, and worse still, has contributed to a host of misunderstandings.
The story usually goes go that Alice has received a secure e-mail from stranger Bob and wishes to work out if he is trustworthy. She double clicks on his digital signature and certificate in order to identify his CA. And now the fun begins. If Alice is not immediately trusting of the CA (presumably by reputation) then she is expected to download the CP and CPS, read them, and satisfy herself that the registration processes and security standards are adequate for her needs.
Does this sort of rigmarole have any parallel in the real world? A simple e-mail with no other context is closely equivalent to a letter or fax sent on plain white paper. Under what circumstances should we take seriously a message sent on plain paper from a stranger, even if we could track down their name?
In truth, the vast majority of serious communications occurs not between strangers but in a rich existing context, where the receiver has already been qualified in some way by the sender as likely being the right party to contact. In e-business, routine transactions are not usually conducted by e-mail but instead use special purpose software or dedicated websites with purpose built content. Thus we see most of the digital signature action in cases such as e-prescriptions, customs broking, trade documentation, company returns, patent filing and electronic conveyancing.
Several important simplifying assumptions flow from the fact that most e-business has a rich context, and these should be heeded when planning PKI:
Emphasise straight-through processing
In spite of the common worked example of Alice and Bob exchanging e-mails, the receiver of most routine transactions – such as payment instructions, tax returns, medical records, import/export declarations, or votes – is not a human but instead is a machine. The notion that a person will examine digital certificates and chase down the CA and its practices is simply false in the vast majority of cases. One of PKI’s great strengths is the way it aids straight-through processing, so it has been a great pity that vendors, through their training and marketing materials, have stressed manual over automatic processing.
Play down Relying Party Agreements
The sender and receiver of digitally signed transactions are hardly ever un-related. This is in stark contrast to orthodox legal analyses of PKI which foundered on the supposed lack of contractual privity between Relying Party and CA. For example the Australian Government’s extensive investigation into legal liability in digital certificates after 76 pages still could not reach a firm conclusion about whether a “CA may owe a duty of care to a [Relying Party] who is not known to the CA” [http://www.egov.vic.gov.au/pdfs/publication_utz1508.pdf]. The fact is, this sort of scenario is entirely academic and should never have been given the level of attention that it was. The idea of a “Relying Party Agreement” to join in contract the RP and the CA is moot in all “closed” e-business settings where PKI in thriving. It is this lesson that needs to be generalised by PKI regulators, not the hypothetical model of “open” PKI where all parties are strangers.
Play down certificate path discovery
The fact that in real life, parties are transacting in the context of some explicit scheme, means that the receiver’s software can predict the type of certificate that will most often be used by senders. For instance, when doctors are using e-prescribing software, there is not going to be a wide choice of certificate options; indeed, the appropriate scheme root keys and certificates for authenticating a whole class of doctors will likely be installed at both the sending and receiving ends, at the same time that the software is. When a doctor writes a prescription, their private key can be programmatically selected by their client and invoked to create a digital signature, according to business rules enshrined in the software design. And when such a transaction is received, the software of the pharmacist (or insurance company, government agency etc.) will similarly ‘know’ by design which classes of certificates are expected to verify the digital signature. All this logic in most transaction systems can be settled at design time, which can greatly simplify the task of certificate path discovery, or eliminate it altogether. In most systems it is straightforward for the sender’s software to attach the whole certificate chain to the digital signature, safe in the knowledge that the receiver’s software will be configured with the necessary trust anchors (i.e. Root CA certificates) with which to parse the chain.
How do we make best sense of the bewildering array of authenticators on the market? Most people are familiar with single factor versus two factor, but this simple dichotomy doesn’t help match technologies to applications. The reality is more complex. A family tree like the one sketched here may help navigate the complexity.
Different distinctions define various branch points. The first split is between what I call Transient authentication (i.e. access control) which tells if a user is allowed to get at a resource or not, and Persistent authentication, which lets a user leave a lasting mark (i.e. signature) on what they do, such as binding electronic transactions.
Working our way up the Transient branch, we see that most access controls are based either on shared secrets or biometrics. Dynamic shared secrets change with every session, either in a series of one time passwords or via challenge-response.
On the biometric branch, we should distinguish those traits that can be left behind inadvertently in the environment and are more readily stolen. The safer biometrics are “clean” and leave no residue. Note that while the voice might be recorded without the speaker’s knowledge, I don't see it as a residual biometric in practice because voice recognition solutions usually use dynamic phrases that resist replay.
For persistent authentication, the only practical option today is PKI and digital signatures, technology which is available in an increasingly wide range of forms. Embedded certificates are commonplace in smartcards, cell phones, and other devices.
The folliage in the family tree indicates which technologies I believe will continue to thrive, and which seem more likely to be dead-ends.
I'd appreciate feedback. Is this useful? Does anyone know of other taxonomies?
PKI has a reputation for terrible complexity, but it is actually simpler than many mature domestic technologies.
It's interesting to ponder why PKI got to be (or look) so complicated. There have been at least two reasons. First, the word is frequently taken to mean the original overblown "Big PKI" general purpose identification schemes, with their generic and context-free passport grade ID checks, horrid user agreements and fine print. Yet there are alternative ways to deploy public key technology in closed authentication schemes, and indeed that is where it thrives; see http://lockstep.com.au/library/pki. Second, there is all that gory technical detail foisted on lay people in the infamous "PKI 101" sessions. Typical explanations start with a tutorial on asymmetric cryptography even before they tell you what PKI is for. ]
I've long wondered what it is about PKI that leads its advocates to train people into the ground. Forty-odd years ago when introducing the newfangled mag stripe banking card, I bet the sales reps didn't feel the need to explain electromagnetism and ferric oxide chemistry.
This line of thought leads to fresh models for 'domesticating' PKI by embedding it in plastic cards. By re-framing PKI keys and certificates as being means to an end and not ends in themselves, we can also:
― identify dramatically improved supply chains to deliver PKI's benefits
― re-cast the traditionally difficult business model for CAs, and
― demystify how PKI can support a plurality of IDs and apps.
Consider the layered complexity of the conventional plastic card, and the way the layers correspond to steps in the supply chain. At its most basic level, the card is based on solid state physics and Maxwell's Equations for electromagnetism. These govern the properties of ferric oxide crystals, which are manufactured as powders and coated onto bulk tape by chemical companies like BASF and 3M. The tape is applied to blank cards, which are distributed to different schemes for personalisation. Usually the cards are pre-printed in bulk with artwork and physical security features specific to the scheme. In general, personalisation in each scheme starts with user registration. Data is written to the mag stripe according to one of a handful of coding standards which differ a little bwteen banks, airlines and other niches. The card is printed or embossed, and distributed.
The variety of distinct schemes using magnetic stripe cards is almost limitless: bank cards, credit cards, government entitlements, health insurance, clubs, loyalty cards, gift cards, driver licences, employee ID, universities, professional associations etc etc. They all use the same ferromagnetic components delivered through a global supply chain, which at the lower layers is very specialised and delivered by only a handful of companies.
And needless to say, hardly anyone needs to know Maxwell's Equations to make sense of a mag stripe card.
The smartcard supply chain is very similar. The only technical difference is the core technology used to encode the user information. The theoretical foundations are cryptography instead of electromagnetism, and instead of bulk ferric oxide powders and tapes, specialist semiconductor companies fabricate the ICs and preload them with firmware. From that point on, the smartcard and mag stripe card supply chains overlap. In fact the end user in most cases can't tell the difference between the different generations of card technologies.
Smartcards (and their kin: SIMs, USB keys and smartphones) are the natural medium for deploying PKI technology.
Re-framing PKI deployment like this ...
― decouples PK technology from the application and scheme layers, and tames the technical complexity; it shows where to draw the line in "PKI 101" training
― provides a model for transitioning from conventional "id" technology to PKI with minimum disruption of current business processes and supplier arrangements
― shows that it's perfectly natural for PKI to be implemented in closed communities of interest (schemes) and takes us away from the unhelpful orthodox Big PKI model
― suggests new "wholesale" business models for CAs; historically CAs found it difficult to sell certificates direct, but a clearly superior model is to provide certificates into the initialisation step
― demonstrates how easy to use PKI should be; that is, exactly as easy to use as the mag stripe card.
I once discussed this sort of bulk supply chain model at a conference in Tokyo. Someone in the audience asked me how many CAs I thought were needed worldwide. I said maybe three or four, and was greeted with incredulous laughter. But seriously, if certificates are reduced to digitally signed objects that bind a parcel of cardholder information to a key associated with a chip, why shouldn't certificates be manufactured by a fully automatic CA service on an outsourced managed service basis? It's no different from security printing, another specialised industry with the utmost "trust" requirements but none of the weird mystique that has bedevilled PKI.
What do you call it when a metaphor or analogy outgrows the word it is based on, thus co-opting that word to mean something quite new? Metaphors are meant to clarify complex concepts by letting people think of them in simpler terms. But if the detailed meaning is actually different, then the metaphor becomes misleading and dangerous.
I'm thinking of the idea of the electronic passport. Ever since the early days of Big PKI, there's been the beguiling idea of an electronic passport that will let the holder into all manner of online services and enable total strangers to "trust" one another online. Later Microsoft of course even named their digital identity service "Passport", and the word is still commonplace in discussing all manner of authentication solutions.
The idea is that the passport allows you to go wherever you like.
Yet there is no such thing.
A real world passport doesn't let you into any old country. It's not always sufficient; you often need a visa. You can't stay as long as you like in a foreign place. Some countries won't let you in at all if you carry the passport of an unfriendly nation. You need to complete a landing card and customs declarations specific to your particular journey. And finally, when you've got to the end of the arrivals queue, you are still at the mercy of an immigration officer who has the discretion to turn you away. As with all business, there is so much more going on here than personal identity.
So in the sense of the meaning important to the electronic passport metaphor, the "real" passport doesn't actually exist!
The simplistic notion of electronic passport is really deeply unhelpful. The dream and promise of general purpose digital certificates is what derailed PKI, for they're unwieldy, involve unprecedented mechanisms for conferring open-ended "trust", and are rarely useful on their own (ironically that's also a property of real passports). Think of the time and money wasted chasing the electronic passport when all along PKI technology was better suited to closed transactions. What matters in most transactions is not personal identity but rather, credentials specific to the business context. There never has been a single general purpose identity credential.
And now with "open" federated identity frameworks, we're sleep-walking into the same intractable problems, all because people have been seduced by a metaphor based on something that doesn't exist.
The well initiated understand that the Laws of Identity, OIX, NSTIC and the like involve a plurality of identities, and multiple attributes tuned to different contexts. Yet NSTIC in particular is still confused by many with a single new ID, a misunderstanding aided and abetted by NSTIC's promoters using terms like "interoperable" without care, and by casually 'imagining' that a student in future will log in to their bank using their student card .