PKI is an interesting technology that has received its share of bad press. These negative comments have typically focused on the problems that most implementations of PKI have – they tend to be expensive and too hard for average users. What’s often not considered is the fact that not many applications can use the digital certificates that PKI creates and manages. This means that after you spend a fair amount of money deploying your PKI, you’ll find that you can’t do much with your certificates except encrypt and sign e-mail or authenticate to a web server. Just those two uses probably doesn’t justify the cost of deploying and supporting a PKI. Most applications don’t support PKI and modifying them so that they do can be expensive, perhaps even very expensive.
I recently gave a talk about some innovative applications of cryptography in the entertainment industry. In this talk I mentioned that I’d heard that the Department of Defense has requested $5 billion to PKI-enable their core mission-critical applications. It turned out that a person in the audience was involved in that budgeting exercise and she told me that this estimate was way off.
It seems that the estimate of $5 billion came from a call which polled various departments about their needs and how much it would take to PKI-enable their most important applications. According to the person at my talk, most of the people on this call had no idea what PKI was or why they’d need budget to PKI-enable their applications. So when they were asked how much they needed, they said that they needed nothing. This means that the $5 billion number probably grossly underestimates the actual costs. Because of this, a more realistic estimate for the cost of PKI-enabling the DoD’s applications might be more like $10-20 billion.