Happy Turkey Day

Today is Thanksgiving, the American holiday that’s loosely based on the feast that the settlers of Plymouth, Massachusetts had to celebrate surviving their first New England winter. It’s traditional to serve turkey on this holiday, so it’s sometimes referred to as "Turkey Day." There may be another day, however, that’s just as deserving of that name. This is a day in August instead of November.

August is the month that ITU-T Recommendation X.509 (1997): Information Technology – Open Systems Interconnection – The Directory: Authentication Framework was approved. This is the standard that defined the format for digital certificates as well as the framework for using them. It was probably the first step in the wrong direction for public-key technology, and a step that has made public-key technology more difficult than it needs to be.

It’s also probably the reason that the adoption of public-key technology was negligible for many years. During this time, PKI vendors insisted that products that supported the X.509 standard were the only ones worthy of adopting, despite the many serious problems that PKI technology has. Customers seemed to believe this. Consultants made lots of money writing documents with important-sounding titles like "PKI Strategic Plan," that described how the use of X.509 certificates could solve lots of pressing security problems. Many customers tried the technology, but not too many deployed it on a wide scale, despite the pressing need for encryption of lots of sensitive data.

In retrospect, it seems odd that customers didn’t question vendors’ claims. It was really little more than a handful of vendors claiming that only technology that they happened to sell was the only solution worth considering and customers accepting this without asking too many questions.

Public-key technology was a significant breakthrough when it was invented in the 1970s. It made some things practical for the first time that were extremely cumbersome and expensive to do with just symmetric cryptography. But as the technology evolved, the idea of digital certificates that the X.509 standard defines proved to too difficult and expensive to implement and support. Aside from the single use in SSL for authenticating web servers, the use of X.509 certificates has found little use outside government projects, where its high costs don’t seem to matter as much. It’s a technology that has definitely proven to be a turkey. If we could only find the exact day in August on which the first version of the X.509 standard was approved, we could add "X.509 Day" to the list of days that observe significant historical events. "Turkey Day" might also be a good name for it.

Leave a Reply

Your email address will not be published. Required fields are marked *