Got PKI?


Barry Leiba observes that the public key infrastructure (PKI) and related personal encryption technologies are simply not working. Sure, the cryptographers have figured out pretty secure hashing algorithms and all that, but the usability and logistics of encryption and digital signatures are challenging even to geeks, let alone Aunt Tillie. Bob Wyman argues that we don't need PKI in order to have digital identity, which is true up to a point, but personally I think that strong digital identity is important because many kinds of messages can be forged and in many contexts identity-based encryption is a good thing. But it's not easy now and unfortunately it's not getting any easier, because it's hard to get it right (in part because the metaphors are not familiar to normal people). Barry says "we should be able to get certificates when we get a passports or driver's licenses"; the folks in Estonia have done that (population ~1.3 million), but doing it in the USA (population ~300 million) or even one American state would be a challenge, I think.

Peter Saint-Andre > Journal