Why PKI is still used
It’s always fun to watch babies. They’re born knowing absolutely nothing and have to learn how the world around them by watching how things work. Once they get a bit older, they seem to start doing experiments to check if what they think is actually true. When they’re very young, for example, they notice that everything falls when it’s dropped. When they get a bit older they’ll try dropping things again and again to see if things really do fall every time they’re dropped. After a while, they seem to decide that they’ve tested their hypothesis enough times and they stop dropping things. This is why adults don’t do some of the things that babies do. Adults typically don’t drop things just to see if they’ll fall because they already did it hundreds of times when they were babies.
When they’re learning about how the world around them works, babies will eventually give up if they find something doesn’t work. They just file that away as part of their understanding of the world. On the other hand, adults also seem unwilling to learn from experience the same way that babies do. Some even insist on moving forward with technologies that have always failed in the past. It’s enough to remind you of the following exchange in The Princess Bride:
Wesley: "Aha! Your pig fiancé is too late! A few more steps and we’ll be safe in the fire-swamp."
Buttercup: "We’ll never survive."
Wesley: "Nonsense! You’re only saying that because no one ever has."
Some people seem to believe that they’ll be able to succeed with difficult technologies, even though most others fail. PKI is probably a good example of this. PKI has been around for quite a while. The digital certificate was invented over 30 years ago and the first version of the X.509 standard that defines how to use certificates was completed over 20 years ago. But except for the single notable use in SSL, the technology has essentially gone nowhere in the past few decades. The root of the problem is essentially that while machines don’t mind using digital certificates, people hate them.
Despite this clear evidence of failure, some organizations have still not noticed the trend in which trying to have people use digital certificates has a very high chance of failure. Maybe they see themselves as Wesley in The Princess Bride, who does indeed manage to survive the Fire Swamp despite the failure of those that come before him. On the other hand, Wesley had one thing going for him that most corporate IT departments don’t: the fact that the scriptwriter was on his side. Consultants can help with many difficult issues, but even the best consultants don’t have that level of influence.