A simple misunderstanding
A while back a heated discussion started on a mailing list that I subscribe to. This particular list is for the discussion related a certain security standard, and the cost of using PKI was the topic that seemed to get peoples’ interest.
The opponents of PKI pointed out that it’s typically very expensive and too hard for the average user to use. There are certainly real-world statistics to back up these claims. According to a report by the GAO , the average cost of PKI in the US federal government has been a bit over $220 per certificate. Another analyst report estimates that the TCO of a secure e-mail solution based on PKI is over $800 per user per year. I don’t recall any compelling arguments from the proponents of PKI. Instead, they focused on the need for some way to verify the origin of e-mail and to protect it from eavesdropping. I don’t recall any claims that PKI was the best way to do this, but just that it’s a way that’s available now.
I usually try to stay out of heated discussions on the Internet, but this time I couldn’t help adding a comment that didn’t really add anything useful to the discussion. I did this by mentioning that if PKI is really as expensive as the GAO report would have us believe, then in many cases there’s probably a cheaper alternative. I proposed that you could use your FedEx account number as a way for people to be able to securely get information to you, so that it would more or less be acting like a public key. Using FedEx isn’t cryptographically secure, but it’s probably good enough for most uses. In cases where you’re not sending too many documents, this has a good chance of being cheaper that using PKI-based e-mail. This wasn’t meant to be taken seriously, of course.
Like many other comments via e-mail that aren’t meant to be taken seriously, this one was misunderstood. The first reply to it asked if I was suggesting that a FedEx account number could be used as a user’s identity in some sort of identity-based encryption scheme. So I was stuck explaining that I wasn’t being serious and that my comment wasn’t meant to be taken literally. Identity-based encryption may be very useful in some applications, but this probably isn’t one of them.