The PKI deployment summit at Dartmouth is becoming a summertime tradition. Observations from last year's event found their way into two columns. Today as I head up to Hanover for this year's event there's really only one big question I'd like to ask the security pros who will be assembled there: How do we make PKI protocols meaningful to humans?
A couple of weeks ago Kim Cameron, who is Microsoft's identity architect, wrote a blog entry that I've been unable to delete, and in that entry he uses a word that I've been unable to forget. The word is ceremony. Responding to Doug Kaye's plea for a protocol that will enable permissions for audio recordings to be negotiated spontaneously and on a very large scale, Kim proposes a scheme that includes a "ceremony" -- literally, a script read by parties to the agreement that includes the metadata (event title, system-generated event ID) as part of a spoken contract.
This is a wonderful way to bring Kim's sixth law of identity to life. Its title -- "The Law of Human Integration" -- sounds great, but its description is guaranteed to make eyes glaze over:
The universal identity system MUST define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms offering protection against identity attacks.
Fine, but what does it mean for the human to be "a component of the distributed system"? This notion of ceremony captures it beautifully. Kim's write-up on the sixth law invokes the idea, and it's elaborated in an audio interview with Carl Ellison -- whose work on SPKI (simple public key infrastructure) helped inspire, among other things, the security architecture of Groove.
In this paper Ellison attributes the use of the word "ceremony" -- in the context of security protocols -- to his Intel colleague Jesse Walker. The paper is oddly titled UPnP Security Ceremonies Design Document and says whimsically at one point:
Every time there is a network connection between a computer component and a human user, one can not use a standard network layer. Humans don't have network interfaces.Of course the "ceremonies" described by the UPnP paper would not be seen -- by anyone other than a security geek -- as having anything in common with, say, a marriage ceremony. But Kim's proposal for a ceremonial granting of recording rights would be seen, by ordinary folks, in just that way.
This might seem like a strange topic to introduce at the PKI summit. But let's remember that, to non-geeks, there's nothing stranger than PKI.
Former URL: http://weblog.infoworld.com/udell/2005/07/26.html#a1276