Buzz roundtable: PKI and security, 09/27/99

PKI and security

Network World Fusion, 09/27/99

The next topic is PKI. This seems like a technology that hasn't really caught on with the masses, as only those with the most stringent security needs have implemented it. But it seems necessary if you're going to have security in e-commerce applications that involve large amounts of money. What do you see as PKI's future?

Kearns: Security is what you need. PKI is just one way of getting security.

Nolle: I agree completely. The problem with public key encryption is, if you look at the history of crypto security, the problem from the user's perspective is that every time somebody announces a new security strategy, somebody in Denmark announces that they've cracked it in three weeks. That kind of performance is not conducive to building a lot of trust on the minds of the buyer. And one of the things that buyer research has shown is that the buyer tends to fall back on the concept of physical security of his network, which is to say partitioned facilities rather than something like an Internet type of an environment. What's going to happen with security is we're going to solve the security problem by keeping these highly secure transactions off of public IP networks like the Internet and we're going to create a different kind of public IP network that has a different technology basis and therefore is viewed by the buyer as being more intrinsically secure. Or we're going to go down to a virtual circuit network for this stuff.

Kearns: So VPNs are the key.

Nolle: VPNs are the key to the extent that VPNs are not simply tunnels over the Internet because if you're tunneling over the Internet or over any public IP network that's based on connectionless routing, you have the same problems with tunnel security as you have with traffic that's in the clear in a security sense. Tunneling doesn't create a secure connection. It only creates a partitioned network. If you want to partition the network in the true secure sense, you'd have to move down to the virtual circuit level. All the frame relay carriers have told me that buyers are no more likely to encrypt frame relay traffic than they are to encrypt leased line traffic, which means that buyers view frame relay virtual circuits to be as secure as leased lines. On the other hand, nobody views the Internet as being secure. What we're really saying here is, if public key confidence can't be built, and at least in the surveys we've done the user doesn't seem to be inclined to accept any technology as a convincing solution to this, then these secure applications are not going to run on the Internet.

Kearns: Why isn't the user accepting PKI, though? Is it because it's too complicated for him?

Nolle. In part. It's our mission as the insiders in this industry to educate users to a point of making them comfortable and we do not seem to have been able to do that up until now and I have my doubts whether it's possible. So somehow or another the process has got to be brought within the confidence grasp of the buyer. And if the only way to do that is to emulate private lines, then that's the only way to do it.

But even if you bring this traffic off the Internet and you create some other network and call it something else, don't you still have the same security problem?
Nolle: It depends on the technology. Certainly if I create something that's based on connectionless routing I have the same security problem. One could argue perhaps that the buyer's belief that virtual circuits are intrinsically secure is misplaced, but they believe it nevertheless.

Kearns: This is getting us pretty far afield from PKI, though.

Nolle: As somebody already said, PKI is just a mechanism for guaranteeing security. And it's a remedy that is useful only if the buyer believes in it and if the buyer doesn't believe in something simpler. I don't think buyers do believe in PKI. They clearly haven't demonstrated their belief by buying into it in any economic sense. But I also think that buyers believe that a simpler strategy, which is to say private line or virtual circuit networking, is the way they want to go.

Kobielus: Most of the market believes that whatever security mechanisms are built into their existing environments are good enough. When you're taking about creating a new infrastructure that is in some sense functionally redundant with existing infrastructure within your existing e-mail systems and NOSes, that's where the value proposition for PKI gets awfully questionable. You're talking about setting up all these certification authorities, registration authorities, validation authorities and you've got to integrate it with your directory and you've got to manage this new workflow within your MIS and networking shop in terms of issuing certificates when you create user accounts and renewing them and revoking them and sending out certification revocation lists. It's like, "OK, you're getting me into a new realm of rocket science, Mr. Vendor, but you're not telling me why I should be traveling to that planet."

Nolle: That's my point. What we've got here is a very complicated process and the buyer feels not so much that he is concerned as that he should be. He's afraid that a lack of concern is a politically indefensible position and so he's looking for some easy answer to the security problem. As you pointed out, correctly, maybe the problem is that PKI really isn't an easy solution to the security problem and for that reason it doesn't meet the buyer requirements.

Kearns: The strange thing is that the only encrypted and signed e-mails I've ever received were not strategic. Strategic information comes in the clear. So what we're finding is that there's a certain group of people who are tied closely to this technology and are using it for everything. And there are other people who perhaps need to use it and are put off by it so they don't use it for anything.

Someone mentioned certificate authorities. I see no reason in the world why I should put my trust in Joe's Certificate Authority to verify and validate some other user that I've never seen before because I don't know Joe either. These things are going to have to be centralized, they're going to have to be done at a much lower level in the application or in the network than they are now. It's got to be done without me really having to pay attention to it. And we're nowhere near close to that.