Utah's PKI experiment

Utah CIO Phil Windley will be speaking at the digital identity conference next week in Denver. Excellent! On his weblog, Phil has been gathering his thoughts for the talk. I would be especially interested to hear his perspective on the PKI lessons Utah has learned, and the prospects going forward.

As I discussed a couple of years ago, in a column on digital signature laws, Utah was way out ahead of the rest of the nation on this issue. When the E-Sign bill came out, I was initially dismayed to see no prescriptive guidance about keys, certification authorities, and so on. As the discussion in that column shows, I yielded to arguments that government ought not prescribe such things. But I keep flip-flopping on the issue.

Phil writes:

Like it or not, states are in the identity business. We like to claim that we're just in the licensing business, but the truth is that, for better or worse, the state issued driver's license is the gold standard for identification in the physical world.

Indeed. I've long wondered if government could, and perhaps should, issue digital IDs as part of that licensing process. We've seen that the e-commerce industry has no stomach for it. Digital IDs remain a stillborn technology because nobody wanted to slow down the e-commerce juggernaut by burdening consumers with another licensing and registration procedure. So we prop up all of e-commerce with the $50 cap on credit-card liability, and write off the fraud as a cost of doing business. In truth, that may be an acceptable cost. But what about the lost opportunity cost? A digital-ID-equipped citizenry can sign electronic documents, encrypt messages, and authenticate to Web services. These are consumer-empowering capabilities. As Phil points out, "Liberty Alliance and Microsoft Passport are more about helping businesses than consumers."

Lord knows PKI is a can of worms. But with every turn of the wheel, most recently in the areas of Web services security and digital rights management, we're reminded that the issues tackled by PKI -- identity and trust -- will not go away. Few people can have a better real-world view of all this than Utah's CIO. It will be a fascinating talk, I'm sure.


Former URL: http://weblog.infoworld.com/udell/2002/10/05.html#a435