PKI Will Grow, But Policy Problems Remain

Public key infrastructure is poised for a resurgence, with associated identity technologies increasingly underpinning applications as organizations look to securely share information, vendors said Tuesday at a standards conference in London.

While it was a hot buzzword during the peak of the technology boom, PKI fell out of favor as IT projects were increasingly seen as bloated and without sufficient focus.

“PKI still has a lot of perception problems,” said Stijn Bijnens, senior vice president of identity management for Cybertrust.

Bijnens was one of several participants in a conference by the Organization for the Advancement of Structured Information Standards (Oasis), a consortium that develops standards for business applications.

PKI uses certificates that have been verified by a certification authority and allows other organizations or people to exchange trusted information. PKI simplifies e-government and e-commerce by letting people identify themselves once to a certification authority that vouches for the people’s identity when they interact with other organizations in the infrastructure.

Several changes in IT should spur growth of PKI. Microsoft’s release of its next-generation OS, Windows Vista, contains technology to help users manage identities, called CardSpace, Bijnens said. CardSpace will allow users going to compatible websites to have greater control over how their personal information is released.

While it’s unknown how CardSpace will work with other identity technologies, it should help grow the market for certificate accreditation and procedures around identity verification, Bijnens said.

“Microsoft just enables the market for everyone,” Bijnens said.

Governments are undertaking electronic-identity projects that should also foster interest in PKI technology, Bijnens said.

But PKI technology faces hurdles, too. The technology is growing increasingly complex even for those familiar with it, said Arshad Noor of StrongAuth.

Noor said he was once involved with a PKI implementation at one of the largest pharmaceutical companies for its 120,000 employees worldwide. The chief executive officer (CEO) expected the rollout could be done in about five weeks. The rollout eventually finished, but not on the CEO’s time scale, he said.

“It was absolutely crazy,” Noor said. “I think management needs to understand they are implementing more and more complex technology.”

Also key are the policies built around identity sharing. However, those policies often must rapidly be adjusted as businesses acquire other ones or business processes change, Noor said.

Another problem with exchanging identities using PKI is establishing one authority that can vouch for identities, something that so far hasn’t happened.

“The framework doesn’t exist yet,” Noor said.

-Jeremy Kirk, IDG News Service (London Bureau)

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.