PKI without tears
A critical analysis of orthodox PKI, including a detailed outline of how a health PKI could be implemented
Traditional Public Key Infrastructure (PKI) is unnecessarily complicated. Largely as a result of early misconceptions that we needed an all-purpose digital passport to do business on the Internet, traditional PKI has become overloaded with invasive personal identity checks and complex legal arrangements. To try to support stranger-to-stranger transactions, user agreements for general purpose certificates have required people to read and understand huge and forbidding Certification Practice Statements. And yet the business benefits of going to all this trouble remain controversial.
There are new PKI models where the cryptography is embedded deeply into smartcards, to much the same extent that complex ferromagnetic technology is built into all the other plastic cards we take for granted. Application software can be engineered so that all digital certificate functions are automated; smartcards can be issued to professionals and business people under existing terms and conditions which reflect the users' standing. The user experience then becomes the same as with any conventional access card.
This paper, written for the American Bar Association's eBlast journal in 2003, presents a fresh look at the business drivers and true benefits of digital signatures, and shows how to deliver better usability, zero registration overhead, reduced training costs, simpler liability arrangements, and streamlined accreditation.