Public Key Infrastructure
Full Title or Meme
- The Public Key Infrastructure was build up to support the CCITT X.509 Certificate which was designed by the monopoly telephone companies to continue their existing business model of charging a recurring fee to customers who had no choice in the matter.
- The idea that a X.509 Certificate should have a limited life-time made sense for the telco, but no sense what-so-ever for a Relying Party who wanted to check a signature, that might have been made at some time in the past when the certificate was valid, but theoretically is invalid at the time the signature was checked.
- Lots of work-arounds were devised for the limitations of PKI, but they all involved extraordinary complexity that made life difficult for anyone that wanted to implement the technology.
- One of the last work-arounds was to introduce Online Certificate Status Protocol (OSCP) which at least got rid of the necessity for certificate revocation lists, a hold over from the 1950's credit card deployments.
- Enterprises were willing to tolerate the pain introduced with PKI, but not a signification number of Users that could not be compelled to submit to the pain.
- Problems have been known for a long time
- The basic business model of selling Trust for money can never work in a capitalist economy. Any standard causes a race to the bottom. PKI should be abandonded, but the problem is proposing a workable solution that is financially sound as well as a secure expresseion of Trust is not known in late 2018.
- FIDO U2F will put a Trust token in the hands of users, but does not help the bigger problem, how to Trust the Web Site Identity.
- Robert A. Grimes, 4 Fatal Problem with PKI. (2015) CSO https://www.csoonline.com/article/2942072/security/4-fatal-problems-with-pki.html