The lowdown on PKI

What is it? PKI is a method of authenticating all parties, ensuring data integrity, keeping data private and preventing repudiation of transactions.

How secure are private keys? PKI requires that each individual have a secure private key to perform encryption. This is essential to proving who is sending a message, but private keys are often stored on nonsecure computers, so what happens if a party claims their private key was compromised by a physical or electronic attack? With vital security data often stored on PCs, the whole process may be no stronger than the weakest password.

What about identity theft? Intentional'or even accidental'identity spoofing, theft or misidentification is still possible with PKI. For example, there are scores of certificate authorities, some of which may identify people or companies only by name. This raises the question of whether you know which CA a particular individual or company uses. Is John Smith the John Smith you think he is?

What about repudiation? PKI advocates have converted technical cryptographic terms such as repudiation to their own use, and some new laws have been applied to them. For example, under some existing and proposed digital-signature laws, if a CA certifies your private key and it is used to validate a contract, you are automatically liable. In contrast, banks and even credit card companies have to prove you authorized a transaction if you claim it was fraudulent.

Do you really need PKI? That's a good question. Internet commerce is thriving without the use of CAs, and you can secure communications in ways such as encrypted virtual private networks, even in an enterprise environment. Unless PKI is mandated, it is important to examine the possibility that what you really need is a combination of biometric identification and encryption or some other technology.

Must-know info? PKI may be the best option for many applications, but it isn't perfect and it isn't easy or inexpensive to implement. The biggest security concern is the certificate authorities. Just who gives them the 'authority,' how secure are their databases and is every step of the process really encrypted? Check out a CA's certificate practice statement, paying particular attention to any guarantees it makes and whether the CA accepts any liability.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above