Simpler PKI is on the cards

PKI has a reputation for terrible complexity, but it is actually simpler than many mature domestic technologies.

It’s interesting to ponder why PKI got to be (or look) so complicated. There have been at least two reasons. First, the word is frequently taken to mean the original overblown “Big PKI” general purpose identification schemes, with their generic and context-free passport grade ID checks, horrid user agreements and fine print. Yet there are alternative ways to deploy public key technology in closed authentication schemes, and indeed that is where it thrives; see https://lockstep.com.au/library/pki. Second, there is all that gory technical detail foisted on lay people in the infamous “PKI 101” sessions. Typical explanations start with a tutorial on asymmetric cryptography even before they tell you what PKI is for. ]

I’ve long wondered what it is about PKI that leads its advocates to train people into the ground. Forty-odd years ago when introducing the newfangled mag stripe banking card, I bet the sales reps didn’t feel the need to explain electromagnetism and ferric oxide chemistry.

This line of thought leads to fresh models for ‘domesticating’ PKI by embedding it in plastic cards. By re-framing PKI keys and certificates as being means to an end and not ends in themselves, we can also:

  • identify dramatically improved supply chains to deliver PKI’s benefits
  • re-cast the traditionally difficult business model for CAs, and
  • demystify how PKI can support a plurality of IDs and apps.

Consider the layered complexity of the conventional plastic card, and the way the layers correspond to steps in the supply chain. At its most basic level, the card is based on solid state physics and Maxwell’s Equations for electromagnetism. These govern the properties of ferric oxide crystals, which are manufactured as powders and coated onto bulk tape by chemical companies like BASF and 3M. The tape is applied to blank cards, which are distributed to different schemes for personalisation. Usually the cards are pre-printed in bulk with artwork and physical security features specific to the scheme. In general, personalisation in each scheme starts with user registration. Data is written to the mag stripe according to one of a handful of coding standards which differ a little bwteen banks, airlines and other niches. The card is printed or embossed, and distributed.

The variety of distinct schemes using magnetic stripe cards is almost limitless: bank cards, credit cards, government entitlements, health insurance, clubs, loyalty cards, gift cards, driver licences, employee ID, universities, professional associations etc etc. They all use the same ferromagnetic components delivered through a global supply chain, which at the lower layers is very specialised and delivered by only a handful of companies.

And needless to say, hardly anyone needs to know Maxwell’s Equations to make sense of a mag stripe card.

The smartcard supply chain is very similar. The only technical difference is the core technology used to encode the user information. The theoretical foundations are cryptography instead of electromagnetism, and instead of bulk ferric oxide powders and tapes, specialist semiconductor companies fabricate the ICs and preload them with firmware. From that point on, the smartcard and mag stripe card supply chains overlap. In fact the end user in most cases can’t tell the difference between the different generations of card technologies.

Smartcards (and their kin: SIMs, USB keys and smartphones) are the natural medium for deploying PKI technology.

Re-framing PKI deployment like this …

  • decouples PK technology from the application and scheme layers, and tames the technical complexity; it shows where to draw the line in “PKI 101” training
  • provides a model for transitioning from conventional “id” technology to PKI with minimum disruption of current business processes and supplier arrangements
  • shows that it’s perfectly natural for PKI to be implemented in closed communities of interest (schemes) and takes us away from the unhelpful orthodox Big PKI model
  • suggests new “wholesale” business models for CAs; historically CAs found it difficult to sell certificates direct, but a clearly superior model is to provide certificates into the initialisation step
  • demonstrates how easy to use PKI should be; that is, exactly as easy to use as the mag stripe card.

I once discussed this sort of bulk supply chain model at a conference in Tokyo. Someone in the audience asked me how many CAs I thought were needed worldwide. I said maybe three or four, and was greeted with incredulous laughter. But seriously, if certificates are reduced to digitally signed objects that bind a parcel of cardholder information to a key associated with a chip, why shouldn’t certificates be manufactured by a fully automatic CA service on an outsourced managed service basis? It’s no different from security printing, another specialised industry with the utmost “trust” requirements but none of the weird mystique that has bedevilled PKI.