Rethinking PKI - the electronic business card
Appeared in the international Secure Computing Magazine. It argues against one-size-fits-all "identity" certificates, because in business, we do not entertain stranger-to-stranger transactions. The paper also includes a useful taxonomy of electronic signature regulations.Article featured in SC Magazine, June 2003
"In their earliest conceptions, digital certificates were proposed to authenticate unstructured transactions between parties who had never met. Certificates were seen as the sole means for people to authenticate one another. Most traditional PKI was formulated with no other context that might help its receiver decide whether or not to accept transactions. The digital certificate was envisaged to be your all-purpose digital identity.
"Orthodox PKI has come in for spirited criticism. Some find the traditional proof of identity to be intrusive. The one-size-fits-all electronic passport has certainly failed to take off. But PKI's critics sometimes throw the baby out with the bathwater.
"In the absence of any specific context for its application, orthodox PKI emphasizes proof of personal identity. Early certificate registration schemes co-opted general purpose identification conventions like that of the passport. Yet few, if any, traditional business transactions require parties to have sight of one another's passports or other personal documents.
"Instead in business we deal with others routinely on the basis of their affiliations, agency relationships, professional credentials and so on. The requirement for orthodox PKI users to submit to strenuous personal identity checks is a major obstacle in the adoption of digital certificates."