For many years, Lockstep founder Stephen Wilson has published provocative, innovative and penetrating analyses of PKI, its historical problems, and practical ways to better deploy this unique technology.
Several of our "Babysteps" examine PKI; see the following:
- No. 8: A critical look at Bridge CAs argues that BCAs might not be ideal in non-government environments, because they aim at establishing the equivalence of certificates.
- No. 5: PKI interoperability unpacks how digital certificates can help with the act of authentication and shows it really isn't complicated.
- No. 4: Exposing some PKI myths acknowledges the grains of truth behind many of today's misconceptions, and unpacks the real issues.
- No. 1: PKI in health & welfare sets out PKI's unique ability to secure paperless transactions in the complex, high risk, long lived and multi-party applications characteristic of the health & welfare sector.
A major peer reviewed paper presented at the NIST's 7th Symposium on Identity and Trust on the Internet, March 2008. This work draws together most of Stephen's deep thinking on PKI from over a decade's work, canvassing the reasons for PKI's historical difficulties, popular misconceptions, and ways to break the unhelpful nexus betwen Big PKI and centralised ID systems.
Around 2006, Lockstep worked with Medicare Australia's Health eSignature Authority on a world's first digital credential project.
A paper presented to the academic stream of the AusCERT 2005 conference about using anonymous digital certificates to securely convey health identifiers.
An international update published in "China Communications" Dec 2005
A modified form of identity' certificate for conveying credentials, based on work commissioned by the Australian Government Information Management Office.
A simple new conceptual model to describe the role of backend CAs, likening them to secure printing bureaus, and thus decoupling CAs from business relationships between PKI end users.
Developed for the Australian IT Security Forum for input into the National Authentication Framework deliberations in 2003.
Prepared for the Australian IT Security Forum, November 2003. "Our vision has been developed through extensive dialogue with users and with government. The position is deeply informed by practical experience of some of the world's largest and most effective PKI rollouts. We present here the major implications of this experience for systems integration, PKI regulation and cross border interoperability."
This breakthrough paper from 2000 articulated in detail an interoperable PKI where the fitness for purpose and standards-conformance of certificates were evidenced by digital audit certificates. The audit of CAs would be overseen by an ISO 17025 accreditation framework, scalable to build an international PKI under the auspices of existing accreditation bodies.
Published in April 1999 in Privacy Law and Policy Reporter, this paper perhaps for the first time described how digital certificates could represent credentials, memberships and business relationships, instead of personal identity.
A critical analysis of orthodox PKI, including a detailed outline of how a health PKI could be implemented
Appeared in the international Secure Computing Magazine. It argues against one-size-fits-all "identity" certificates, because in business, we do not entertain stranger-to-stranger transactions. The paper also includes a useful taxonomy of electronic signature regulations.
A light touch, standards-based framework for cross-recognition of Certification Authorities that have been externally accredited, thus allowing certificates from one jurisdiction to be used in another. Paper presented to the Attorney Generals Privacy and Security conference, Melbourne, August 2001.
A pioneering paper delivered in 2001 to the Information Security Solutions Europe Conference, London, outlining an international PKI framework.
A Special Report, for the American Bar Association Bulletin of Law/Science & Technology, No. 117, June 2001
A critical review of "Attribute Certificates" and the problems associated with using them to convey special rights and credentials. First appeared in the Quarterly Journal of the PricewaterhouseCoopers Cryptographic Centre of Excellence Issue 3, 2000. Reproduced with persmission.
Discussion paper written for the Australian delegation to the APEC TEL 23 Meeting, Canberra, 2001.
I wrote this paper for my SANS Institute GSEC Certification in 2002. It analyses the general risks associated with safekeeping of end users' private keys in a PKI (and includes some reflections on the idea of "non repudiation").