Why is it so hard to make global public key infrastructure (PKI) work? Not only does Wilson excellently question the misleading assumptions pertaining to the apparent failure of universal open PKI, but he also lucidly presents a viable evolution path of closed PKI schemes toward purpose-oriented international PKI “superstructures.”
Starting with the issue of how PKI actually became so difficult, the paper correctly identifies the “passport” metaphor--that is, the idea that a X.509 certificate represents a globally unique identity--as the most likely culprit. Based on this supposition, PKI proponents have needlessly complicated technical, procedural, and legal ramifications in the typical context of one stranger doing business, over the Internet, with another complete stranger.
However, most, if not all, business is conducted in a rich context, with decidedly less stringent requirements for identity vetting, permitting multiple identities for different purposes. This is demonstrated by the success of closed PKI schemes. With this in mind, the paper argues to reframe digital certificates as “relationship certificates,” representing no longer a unique identity but merely membership in a certain community. The purpose of these relationship certificates, then, is to aid straight-through-processing within the context of that community; for example, doctors filling prescriptions and listed companies submitting official information to the stock exchange, supplemented by a separation of certification agency and registration agency--the latter being simply enacted by the respective administration of the community in question--that could result in a wholesale production of (registration) certificates, further fueling this “PKI superstructure.” In this vein, “cross certification” and “certificate interoperability” are reinterpreted as signifying membership in a particular PKI scheme, and trusting the auditors that have established such a membership.
The ideas of the paper are easily accessible even to nonspecialists due to an excellent and thorough introduction to PKI, coupled with a lively, entertaining writing style that always remains technically accurate.