Early public key infrastructure projects failed because they were too complex. But Stephen Wilson argues that PKI is ideal for managing closed communities.
Since the mid 1990s we have seen major changes in how public key infrastructure (PKI) is applied.
In their earliest conceptions, digital certificates were proposed to authenticate nondescript transactions between parties who had never met. Certificates were construed as the sole means for people to authenticate one another. Most traditional PKI was formulated with no other context, simply as an electronic transaction that might help its receiver decide whether or not to accept it. The digital certificate was envisaged to be your all-purpose digital identity.
Orthodox PKI has come in for spirited criticism. Many commentators have pointed to a stark paradox: online transaction volumes and values are increasing rapidly, in almost all cases without the help of PKI.
Some find the traditional proof of identity to be intrusive, others have lampooned the idea of forming new internet contracts in reliance on digital signatures. The one-size-fits-all electronic passport has certainly failed to take off. But PKI's critics sometimes throw the baby out with the bathwater.
In the absence of any specific context for its application, orthodox PKI emphasizes proof of personal identity. Early certificate registration schemes co-opted familiar and intuitive identification conventions like that of the passport. Yet few, if any, traditional business transactions require parties to have sight of one another's passports or other personal documents.
Instead in business we deal with others routinely on the basis of their affiliations, agency relationships, professional credentials and so on. The requirement for orthodox PKI users to submit to strenuous personal identity checks over and above their established business credentials is a major obstacle in the adoption of digital certificates.
Another impediment to adoption has been the legal complexity and novelty traditionally associated with PKI. The legal position of conventional PKI remains ambiguous in most technology-neutral jurisdictions, like the U.S., Australia and much of Europe. For example, the Australian Government advises PKI users that the legal relationships between subscriber and relying party, and between the relying party and the certificate authority (CA), are "unclear in Australian law." This position is the outcome of legal studies commissioned by the National Electronic Authentication Council (NEAC), which were inconclusive regarding liability in a general-purpose PKI.
These were sound, well researched reports, yet their terms of reference had digital certificates as the sole means of authentication, with no prior relationship assumed to exist between any of the parties, and no other context to their transactions. It is not surprising that liability was difficult to pin down under such artificial circumstances.
It turns out that the 'killer applications' for PKI overwhelmingly involve transactions with narrow contexts, predicated on specific credentials. The parties might not know each other personally, but invariably they recognize and anticipate each other's qualifications, as befitting their business relationship.
As we shall see, contemporary usage of PKI is characterized by closed communities of interest, prior out-of-band registration of members, and in many cases, special-purpose application software featuring additional layers of security and access controls.
So digital certificates are much more useful when implemented as application-specific 'electronic business cards,' than as one-size-fits-all electronic passports. And, by taking account of the special conditions that apply to different e-business processes, we have the opportunity to greatly simplify the registration processes, user experience and liability arrangements that go with PKI.
The real benefits of digital signatures
There is a range of potential advantages in using PKI, including its cryptographic strength and resistance to identity theft (when implemented with private keys in hardware). Many of its benefits are shared with other technologies, but at least two are unique to PKI.
First, digital signatures provide robust evidence of the origin and integrity of electronic transactions, persistent over time and over 'distance.' This greatly simplifies audit logging, evidence collection and dispute resolution, and cuts the future cost of investigation and fraud.
If a digitally signed document is archived and checked at a later date, the quality of the signature remains undiminished over many years, even if the public key certificate has long since expired.
And, if a digitally signed message is passed from one relying party to another and on to many more, passing through all manner of intermediate systems, everyone still receives an identical, verifiable signature code authenticating the original message.
Electronic evidence of the origin and integrity of a message can, of course, be provided by means other than a digital signature. For example, the authenticity of typical e-business transactions can usually be demonstrated after the fact via audit logs, which indicate how a given message was created and how it moved from one machine to another.
However, the quality of audit logs is highly variable and it is costly to produce legally robust evidence from them. Audit logs are not always properly archived from every machine, they do not always directly evince data integrity, they are not always readily available months or years after the event. They are rarely secure in themselves, and they usually need specialists to interpret and verify them.
Digital signatures on the other hand make it vastly simpler to rewind transactions. As online fraud steadily rises, electronic service providers are looking to PKI to cut the cost of investigation, forensics and dispute resolution.
Secondly, digital signatures and certificates are machine readable, allowing the credentials or affiliations of the sender to be bound to the message and verified automatically on receipt, enabling totally paperless transacting. This is an important but often overlooked benefit of digital signatures.
When processing a digital certificate chain, relying party software can automatically tell that the message has not been altered since it was originally created; that the sender was authorized to launch the transaction, by virtue of credentials or other properties endorsed by a recognized CA; that the sender's credentials were valid at the time they sent the message; and that the authority which signed the certificate was fit to do so.
One reason we can overlook machine readability is that we have probably come to expect person-to-person email to be the archetypal PKI application, thanks to email being the classic example to illustrate PKI in action.
There is an implicit suggestion in most PKI marketing and training that, in regular use, we should manually click on a digital signature icon, examine the certificate, check which CA issued it, read the policy qualifier, and so on. Yet the overwhelming experience of PKI in practice is that it suits special purpose and highly automated applications, where the usual receiver of signed transactions is in fact a computer.
Characterizing good applications
Reviewing the basic benefits of digital signatures allows us to characterize the types of e-business applications that merit investment in PKI.
Applications for which digital signatures are a good fit tend to have reasonably high transaction volumes, fully automatic processing or straight-through processing, and multiple recipients or multiple intermediaries between sender and receiver.
In addition, there may be significant risk of dispute or legal ramifications, necessitating high quality evidence to be retained over long periods of time. The boxout below lists some of the good applications for PKI suggested by this analysis.
This fresh view of the technology helps to explain why many first-generation applications of PKI were problematic. Retail internet banking is a well-known example of e-business which so far has flourished without the need for digital certificates. A few banks did try to implement certificates, but generally found them difficult to use. Most later reverted to more conventional access control and backend security mechanisms.
Yet with hindsight, retail funds transfer transactions did not have an urgent need for PKI, since they could make use of existing backend payment systems. Funds transfer is characterized by tightly closed arrangements, a single relying party, built-in limits on the size of each transaction, and near real-time settlement. A threat and risk assessment would show that access to internet banking can rest on simple password authentication, in exactly the same way as antecedent phone banking schemes.
Trading complexity for applicability
As discussed, orthodox PKI has been formulated with the tacit assumption that there is no specific context for the transaction, so the digital certificate is the sole means for authenticating the sender. Consequently, the traditional schemes emphasize high standards of personal identity, exhaustive contracts and unusual legal devices like Relying Party Agreements. They can also resort to arbitrary 'reliance limits,' which have little meaning for most of the applications listed on the previous page. Notoriously, traditional PKI requires users to read and understand certification practice statements (CPS).
All this overhead stems from not knowing what the general-purpose digital certificate is going to be used for. On the other hand, if particular digital certificates are constrained to defined applications, then the complexity surrounding their specific usage can be radically reduced.
Credit where it's due
Consider the American Express Blue credit card, a new PKI-enabled smartcard. When you sign up for an Amex Blue card, you agree to regular credit card terms and conditions; that is, you undertake to not reveal your PIN to others, not to let anyone else use your card, to promptly report its loss, and so on. You are not required to read a CPS, nor take steps to safeguard your private key as such. The Amex Blue card's underlying PKI imposes no additional burden on cardholders whatsoever.
The trade-off for this dramatic simplification is that the Amex Blue digital certificate is tightly constrained in its application. For instance, it cannot be used to sign or encrypt generic emails, nor to authenticate the client in generic SSL connections. It is likely that in future, only software applications approved by American Express will be able to access the PKI functions embedded in the Blue card.
From this experience we can draw a more powerful meaning for digital certificates. Rather than making representations about someone's personal identity, a certificate can stand for the holder's membership of some defined community, such as a group of credit card holders, registered medical practitioners, chartered accountants, the board of directors of a company, and so on. Each community will have an associated class of e-business applications, with terms and conditions to match.
The role of PKI in all contemporary 'killer applications' is fundamentally to help automate the online processing of electronic transactions between parties with well-defined credentials. This is in stark contrast to the way PKI has historically been portrayed, where strangers Alice and Bob use their digital certificates to authenticate context-free general messages, often presumed to be sent by email. In reality, serious business messages are never sent stranger-to-stranger with no context or cues as to the parties' legitimacy.
Using generic email is like sending a fax on plain paper. Instead, business messaging is usually highly structured. Parties have an expectation that only certain types of transactions are going to occur between them and they equip themselves accordingly (for instance, a health insurance office is not set up to handle tax returns).
The sender is authorized to act in defined types of transactions by virtue of professional credentials, a relevant license, an affiliation with some authority, endorsement by their employer, and so on. And the receiver recognizes the source of those credentials.
The sender and receiver typically use prescribed forms and/or special purpose application software with associated user agreements and license conditions, adding context and additional layers of security around the transaction.
When PKI is used to help automate the online processing of transactions between parties in the context of an existing business relationship, we should expect the legal arrangements between the parties to still apply. For business applications where digital certificates are used to identify users in specific contexts, the question of legal liability should be vastly simpler than it is in the general purpose PKI scenario where the issuer does not know what the certificates might be used for.
The new vision for PKI means the technology and processes should be no more of a burden on the user than any regular plastic access card. Rather than imagine that all public key certificates are like electronic passports, we can start deploying multiple, special purpose certificates, and treat them more like electronic business cards. A public key certificate issued on behalf of a community of business users and constrained to that community can thereby stand for any type of professional credential or affiliation.
We can now automate and embed the complex cryptography deeply into smartcards, so that all terms and conditions for use are application focused.
As far as users are concerned, a smartcard can be deployed in exactly the same way as any magnetic stripe card, without any need to refer to - or be limited by - the complex technology contained within. This approach increases usability, eliminates the onus on users to read and understand any CP/CPS, cuts the training burden, and allows legal liabilities for the use of the card to be determined under existing arrangements. Any application-specific smartcard can be issued under rules and controls that are fit for their purpose, as determined by the community of users or an appropriate recognized authority.
Regulators could then allow communities more discretion to determine thwir own evidence-of-identity requirements for issuing cards, instead of externally imposing personal identity checks. Deregulating membership rules would dramatically cut the overheads traditionally associated with the process of certificate registration.
Finally, if we constrain the use of certificates to particular applications then we can factor the intended usage into PKI accreditation processes. Accreditation could then allow for particular PKI scheme rules to govern liability.
By 'black-boxing' each community's rules and arrangements, and empowering the community to implement processes that are fit for its purpose, the legal aspects of accreditation can be simplified, reducing one of the more significant cost components of the whole PKI exercise.
Stephen Wilson is director, identity management, for SecureNet (www.securenet.com.au).
The taxonomy of electronic signature legislation
There are three different types of electronic signature legislation worldwide, offering different degrees of legal certainty with respect to security technology, and fundamental trade-offs with respect to freedom of choice.
'Good' PKI applications
Comparing orthodox and contemporary PKI models
While orthodox PKI has proven difficult to implement, many of its elements can be preserved in a more flexible management model. In particular, most of today's standards (like X.509 and RFC 2527), commercial registration authority/certification authority products, and backend CA services can be re-applied with little or no change.
To illustrate, the diagrams above compare and contrast the traditional PKI model, where general-purpose identity certificates are supplied over the counter. With the more contemporary model, certificates are embedded into applications and managed as part of a broader scheme.
Figure 1 shows it was traditionally assumed that each user would apply in person to a registration authority for their general-purpose certificate, supplying passport-strength evidence of identity and signing a subscriber agreement.
The archetypal certificate application is person-to-person email, where receiver Alice is expected to examine the certificate of stranger Bob, and satisfy herself as to Bob's veracity. The scope of PKI accreditation or licensing typically encompasses just the RA and CA; in particular, it usually ignores specific applications for the certificates or controls that govern them.
When certificates are embedded in smartcards, the PKI can look like Figure 2. In this case, user Bob is a member of a community of interest and subject to its membership provisions and scheme rules. As a current member, Bob can be sent a smartcard from the scheme administrator. Such smartcards are produced in the same way as in conventional PKI, by a backend CA and smartcard bureau.
Depending on the scheme, it might be a purchasing card, a business license or a professional membership token. In each case, Bob uses his card to access associated software, unaware of the embedded digital certificate and underlying PKI.
Functions include health care transactions, received and processed by machine. The scope of PKI accreditation or licensing should encompass not only the RA and CA, but also the intended use of the smartcard.