PKI and SSL: house of cards?

Richard Forno, chief security officer for ShadowLogic, takes a dim view of the PKI industry. " Digital trust is a slick marketing tool put out by the PKI industry. DoD wants smartcards with certs by 2004. What's the value of that? I don't know. They don't know."

After contributing to an article on these issues, he thought more about the implications of the MS/VeriSign cert compromise:

On March 22, 2001, Microsoft issued a Security Bulletin (MS01-017) alerting the Internet community that two digital certificates were issued in Microsoft's name by VeriSign (the largest Digital Certificate company) to an individual -- an impostor -- not associated with Microsoft. Instantaneously, VeriSign (a self-proclaimed "Internet Trust Company") and the entire concept of Public Key Infrastructure (PKI) and digital certificates -- an industry and service based on implicit trust -- became the focus of an incident seriously undermining its level of trustworthiness. This incident also challenges the overall value of digital certificates.

Forno agrees with Schneier: If you don't address processes and people, you have no security. For example, a notary only verifies the signature on a document, not its contents. So the real-world trust invested by them is unreliable. Garbage in, garbage out. You don't need to be a cyberterrorist to take advantage of this. You can be a Nigerian scam artist.

Why, he asks, don't certs work like credit cards? Why don't they expire (in a timely fashion)? Passports and drivers licenses expire in a few years. Root certs expire in 2025, 2028, 2037. (True. I just checked my MS root certificate: expires 2020.)

Why, he asks, would you trust a 5-year-old dot-com with your identity, rather than a brick-and-mortar financial institution like CitiBank? Most people, he says, would rather trust the latter. The Digital Identity weblog made this same point recently.

Forno recommends: Ellison and Schneier's Ten Risks of PKI.

Well, it's all true. PKI and SSL do not add up to an e-commerce silver bullet. There isn't one. Every day, credit card numbers shielded by high-grade security land in web-exposed flat files that Google can find. As Bruce Schneier likes to say, it's the liability limit on Visa cards and not SSL that props up e-commerce.

Will this chicken-and-egg situation ever resolve? I guess I'll keep on signing my emails anyway.

Former URL: