When I mention
the term PKI I get a number of different reactions.
The most usual
reaction is ‘PKI, Oh what is that?’ Public Key
Infrastructure I say. The answer, ‘Oh, what is that?’
That response
is mainly from people who are not familiar with information
security. With those who are I get one of the following
reactions:
‘Oh PKI
– I made a lot of money from that…’ (Profits
Kept Increasing)
‘Oh PKI
– What a waste of time or money that was…’
(Prices Kept Increasing
or Pesky Knackered Implementation)
‘Oh PKI
– Yes I work with that or I use that….’
(Pretty Keen Indeed)
To complicate
matters further in some places around the world, PKI is
the term used to describe smart card based authentication
products.
So there are
some of us who are blissfully ignorant of the Legend that
is PKI, those of us who have had our fingers burnt or know
of others who have, those who have done quite well out of
it and those who accept PKI as a necessary part of their
security implementation.
In terms of percentage
(finger in the air) I would say that 90% of people I speak
to do not know what PKI is and of the other 10% the vast
majority have the perception that PKI is a waste of time
and money.
So as PKI is
either misunderstood or disliked should it be given a ‘Makeover’.
Should it be re-invented like pop stars and businesses do
from time to time. If so what should it be called?
PKI has in some
cases been implemented as a separate entity. It has been
an ‘Infrastructure’ separate from any other.
And trying to integrate one infrastructure with another
incompatible infrastructure is where some of the high costs
and failure rates have come from. PKI works best if it is
an integral part of a larger solution and infrastructure.
So should we be calling it ‘Infrastructure’
at all?
However, PKI
is not just about cryptographic mechanisms. It incorporates
the whole caboodle including the algorithms and keys, physical
security, personnel security, policy and procedures. So
the name needs to convey a total approach. Or does it? The
physical, personnel, policy and procedure requirements etc.
should be part of an overall Infrastructure anyway!
Also, those who
are familiar with cryptography will know that PKI uses both
public and private key cryptography. Therefore the use of
the term Public Key is only half the story. So do we need
to lose the term Public Key?
I personally
like to use the term ‘Applied Cryptography’
instead of PKI.
However these
are some other possibilities:
• Practical Cryptography
• Integrated Cryptography
• Cryptography In Use
• Cryptographic Applications
• Complicated Mathematical Protection Stuff
• Crypto Caboodle
• Key Management Infrastructure
• Cryptographic Key Infrastructure
I am sure you
can think of some more..
But we do need
to be careful as some of these can provide for interesting
acronyms, CRyptographic APplications for example.
But why bother
you may ask. Isn’t PKI defunct anyway? Well actually
where PKI has been implemented appropriately it has been
very successful. We use PKI every day on the internet and
in financial transactions and it is here to stay. And there
is no doubt that its use will grow where it can be of benefit.
In conclusion,
I personally would like to see the abolishment of the term
PKI. It is not descriptive enough and it can trigger off
negative reactions. But how do we do bring about this momentous
change? Maybe it starts with a few of us starting to use
different terminology….
