Finessing PKI

PKI (public key infrastructure) is a ball and chain that drags down our security efforts, all of which depend on the ability to manage identity and trust. Last week I attended a conference on digital identity, and I came away with some new perspectives on PKI.

For years, I've been frustrated by the abject failure of client-side certificates. I have one, and I use it every day to sign my e-mail messages, but no Web sites authenticate me based on attributes of my cert, nobody encrypts e-mail to me using the public key bound to every e-mail message I send, no smartcard system has appeared (at least in the United States) to help me manage my crypto keys conveniently and portably. "It's just a matter of time," I keep telling myself, "but sooner or later, the dam must break."

What if it doesn't? When you're trying to push a rock up a hill, and getting nowhere, sometimes you have to ask whether you're pushing the wrong rock, or climbing the wrong hill.

There is, admittedly, still some reason to think that today's card issuers -- governments, banks -- may yet become tomorrow's identity providers. Phil Windley, CIO of the state of Utah, thinks so. "Like it or not, we are in the identity business," he said at the conference. In the United States, the driver's license is the gold standard. Phil told me that he thinks it will eventually morph into a general-purpose smartcard ID which, to avoid the stigma of a national ID, will retain a state affiliation, but in practice will federate.

Several other presenters at the conference thought that banks are the more likely source of digital IDs. Either way, the notion is that deployment of digital IDs, by way of these card-issuing entities, will create an identity platform that developers of other kinds of applications can build on.

Maybe that will happen, but it's pure speculation for now. Meanwhile, it's getting harder to ignore the flurry of Web SSO (single sign-on) schemes and the emerging consensus around SAML (Security Assertions Markup Language). Passport is leaning in that direction, and at the conference, Craig Mundie announced that Microsoft will expand its shared source licensing program to facilitate integration with Passport. The SSO scheme proposed by the Liberty Alliance uses SAML to federate identity. So does Shibboleth -- http://middleware.internet2.edu/shibboleth -- which is part of the Internet2 Middleware Initiative and has traction in higher-ed circles.

All these systems are agnostic about the method of authentication. The credential can be a name and password, a digital ID, or biometric evidence. If you let go of the idea that a digital ID is a necessary means of authentication, you can think about targeted and strategic deployment of PKI. Another speaker at the conference was Jamie Lewis, CEO of the Burton Group and a leading analyst of enterprise directory services. He suggests an interesting evolutionary path. PKI-based trust relationships might, in the near term, be most practical among institutions rather than individuals. Rather than issue certificates to every employee, for example, a company might certify itself and then sign SAML assertions on behalf of its employees who might still authenticate by name/password.

As confusing as the XML Web services stack may often appear, Jamie points out that it is modular, layered, and thus poised for organic growth -- unlike the disastrous monolith of X.500. Good point! Identity management will, let's hope, resolve into a set of interoperable services. Asking PKI to be both an identity provider and a trust management service is almost surely asking too much. Maybe if it can take smaller bites it won't choke.