Is PKI really that bad?

At the recent Key Management Summit, we scheduled a few minutes at the end of each day so that people could get up and talk about whatever issues they felt like talking about. The intent was to provide a way for people to tell the others about ideas that they had had while listening to the various speakers' presentations. I had never seen this done before, but it seemed to work fairly well.

The impromptu session at the end of the second day was particularly interesting. One of the attendees, Ben Gittins, got and asked for opinions on what he had read about PKI. Peter Gutmann, for example, is now working on a new book, and Ben had read a preliminary version of this book's chapter on PKI. Apparently Peter's new book does not describe PKI in a positive way (if you're familiar with Peter's thoughts on PKI, you'll know that that's a huge understatement), and Ben wanted to know if we really thought that PKI was as bad as Peter describes it to be.

It didn't take long for the group to reach a consensus. A few people simply said, "Yes, it really is." That's about as far as the discussion got. After that, there really wasn't much more to say.

  • Peter Gutmann

    One of the reasons for going into so much detail about PKI’s problems in the book is that, as the audience members pointed out, people are aware that PKI has major problems but apart from Schneier and Ellison’s “Ten Risks of PKI” from 10-odd years ago there doesn’t seem to be anything around that documents why. My intent was to answer the implied question “We’re having a lot of trouble with PKI, what are we doing wrong?” with “You’re not dong anything wrong, it just doesn’t work very well”. I guess my real issue with PKI is why, after 30 years of failure to launch, we’re still bothering with it instead of looking for alternatives that do work.
    Now I’ve got to figure out how to get a ref to this post into the book :-).


  • Benjamin Gittins

    As for the problems with PKI, Peter’s book [1] definitely goes into more detail than any other publication I have found on the “why”.  It is a real eye-opener and the case-studies drive the issues home. 
    Thankfully, others are also starting to raise the flag around the civilian PKI. Richard Brooks recently wrote an extended abstract [2] highlighting some of the recent problems at ORNL CSIIRW-6 [3]. 
    While not as authoritative as Gutmann or Brooks there is also a short article [4] published by Network World which touches on the existence of multiple system-wide single point of trust failures (SPOTF) in the civilian identity management system. It points to interception devices sold to exploit this weakness. I also recently posted [5] on the issue of SPOTF as it relates to the US draft (2010) National Strategy for Trusted Identities in Cyberspace publication [6].  
    Picking up on Peter’s comment above “I guess my real issue with PKI is why, after 30 years of failure to launch, we’re still bothering with it instead of looking for alternatives that do work”, I note there are new calls (2009-2010) from US Department of Homeland Security (DHS) and US National Institute of Standards and Technologies (NIST) for new trustworthy global-scale identity management (IdM) [7] and global-scale cryptographic key management (CKM) [8][9] solutions respectively.
    Elaine Barker (project leader of the NIST [global-scale] CKM project [8]) stated CKM designers “must look at means other than public key-based key management schemes; they must look at quantum computing-resistant algorithms and schemes” [9] (page 31 and page 52).
    The DHS cybersecurity roadmap [7] states that: “Global-scale identity management is a hard problem for a number of reasons, including standardization, scale, churn, time criticality, mitigation of insider threats, and the prospect of threats such as quantum computing to existing cryptographic underpinnings.” (page 55)
    Unfortunately the (DHS led) National Strategy for Trusted Identities in Cyberspace project does not seem to attempt to encompass the hard problems and critical issues identified by the DHS roadmap or take into consideration NIST’s efforts. Furthermore, the DHS IdM and NIST CKM initiatives do not appear to be synchronised yet. In my opinion, a harmonisation of these 3 efforts could be beneficial.
    Personally I’d like to see the international collaborative development and deployment of an internationally acceptable global scale IdM/CKM architecture that synergistically combines the best of both the public key and symmetric key techniques to address the issues identified by NIST and DHS while also taking into account the many lessons learnt by industry and Government (both in what doesn’t work, and what is working in the market today).
    I feel it is critical that such an effort provide a upgrade path for existing cybersecurity systems while also framing the global scale IdM/CKM effort in the wider context of how it supports other cybersecurity initiatives such as behavioural trust, various malware detection methods, physical identification techniques, privacy enhancing techniques, anonymity techniques, and so on. Such a system should be explicitly designed to protect the legitimate interests of all stake-holders.
    [1] Dr. Peter Gutmann’s “Engineering Security”,
    [2] Prof. Richard Brooks: “Lies and the Lying Liars that Tell Them – A fair and balanced look at TLS”, CSIIRW-6 2010 [proceedings to published by the ACM].
    [3] 6th Annual Cyber Security and Information Intelligence Research Workshop held at Oak Ridge National Laboratory,,
    [4] Ms. Smith, “Certified Lies: Big Brother In Your Browser”, Network World,
    [5] B. Gittins, “We need to explore new distributed decentralised trust models that remove the current system-wide single point of trust failure”, NSTIC @ Ideascale,
    [6] DHS and others, “Draft – National Strategy for Trusted Identities in Cyberspace”,
    [7] DHS, “A roadmap for cybersecurity research”, November 2009,
    [8] NIST, “Cryptographic Key Management Project”, 2009,
    [9] NIST, “Final version of the NIST Internal Report 7609”, NISTIR-7609, 2009,
    [10] B. Gittins, “NSTIC relies on cryptographic primitives known to be at risk of catastrophically breaking”, NSTIC @ Ideascale,


Leave a Reply

Your email address will not be published. Required fields are marked *