“The Internet Is Broken” proclaims the title of an MIT Technology Review cover
story, while Stanford University’s Clean Slate Initiative explores the idea of scrapping the
existing Net and starting over.
Spam brings us phishing attacks that deliver malware that in turn builds botnets. Fraud and
predation pervade everyday online experience. Identities – and cash – are stolen in batches.
As the information security industry assures us “we’re working on it,” people grow ever more
wary of their Internet experience even as they come to depend upon it more and more.
Underneath our security problems are problems of inauthenticity. Our real problem, the root
problem is, inauthenticity.
People are not who they say they are.
Sites are not what they claim to be.
Hackers broadcast spam and malware under your name from your computer.
How do we solve problems of inauthenticity? Very simply: We solve problems of inauthenticity
with the proven tools and construction materials of authenticity.
Authenticity Works Where Information Security Technology Has Failed Us
It gets better:
When you solve problems of inauthenticity, you solve a lot of other problems as well.
Security is just one of them.
With authenticity, our information systems will be much more manageable, effective, reliable,
and easy to use.
Can we have authenticity?
Mankind has developed over centuries a set of methods and procedures to solve problems of
inauthenticity. Those methods and procedures fit nicely with today's information
Historically, an authenticity infrastructure consisted of duly constituted public authority
(e.g. notaries, justices of the peace, consular officials, building inspectors, etc.) and a
means of conveying that authority (notary seals, wax seals, affidavits, oaths, jurats,
professional licensing documents, etc.)
After all these years, authenticity is still the solution to problems of inauthenticity. On
the Internet, however, we need a better means of conveying authenticity. And indeed we have
We could call it an authenticity conveyance infrastructure. Or we could call it what its late
twentieth century inventors named it… It was named Public Key Infrastructure.
So if Public Key Infrastructure is so good, then why hasn't it solved all of our information
technology problems? Here are seven reasons why….
(Or) Before you explain why PKI hasn't solved those problems, please explain what PKI is….
Before you go into that, what is Public Key Infrastructure?
We'll explain by way of example.
You're probably aware that thieves attempt to steal the account numbers and PINs from bank
ATM cards by placing fake card slots on ATMs.
If those were PKI cards and machines, such captured information would be worthless. You see,
a machine based on PKI presents a puzzle to the card, which contains a computer chip and a
secret number that never leaves the card. After the user enters the correct PIN, the card
tries to solve the puzzle. If the ATM receives the correct solution, then it knows the card
must contain the correct secret number.
Of course, the next puzzle presented by the machine will be different, so a solution to an
earlier puzzle is of no use.
If you'd like to learn more details about this fascinating thing that has been called public
key infrastructure, go to authenticity.ac
If you'd like to learn why its very name is part of the reason for the problem, then click
MORE ABOUT SCARCITY to see the next slide…
Why hasn't PKI solved all of our information technology problems?
1. Implementations usually omit a vital component
- By definition, PKI cannot exist without private keys. But its name and its
specifications do not include them. This is truly odd. One of the twelve components of
the Quiet Enjoyment Infrastructure is its Private Key Infrastructure.
2. PKI terminology can be bizarre
- PKI experts have gotten used to saying things like "the user signs the file with his
- Now the poor newcomer who has heard that PKI is good stuff and is trying to understand
how it works is left scratching her head…
- The term "certificate" refers to both a signed public key and to a certificate plus its
corresponding private key.
- Suppose you were being introduced to fruit science.
- You: What is this?
- Fruit scientist: It's an apple
- You: Tell me more about this thing called an apple.
- Fruit scientist: An apple is an apple plus an orange.
- Fruit scientist: So what do you think of fruit science so far?
- You: I think I'm outta here.
- Remember being introduced in middle school to a useful type of number called an
"imaginary number"? If you could get your beautiful mind around that then "a certificate
is a certificate plus its private key" should present no problems for you. For the rest
of us a certificate, whether digital or on paper, is an assertion that is signed by an
authority, and the pen that signs the certificate is not part of the certificate.
- In QEI, the thing that signs the certificate is called a PEN® (of all things).
- The fact that this needed to be clarified says a lot about why PKI has been slow to gain
traction. Of all the gobbledygook in information technology, this mangling of the term
"certificate" is among the worst! (Private Encryption Number, if you must know).
3. PKI has developed a reputation for being brilliant but too complex for practical
- Now wait. Every time you go to a secure web page, you know with the little lock icon and
the address that starts with "https://", you are using PKI.
- You don't need to understand exponentiation in modular arithmetic to do your online
banking. This undeployability stuff is nonsense.
- The good news is that your browser and email program and other software are set up to
- The not so good news is that every product handles keys and certificates differently,
and very little of it is intuitive.
- Back to the good news. The QEI community is stepping forward to guide you through the
gotchas, particularly when it comes to establishing and using your own identity
- We don't care how obtuse your software is, we'll get you signing and encrypting.
- We tear our hair out so you don't have to…
- But there's another reason why PKI has gained this undeserved reputation for complexity…
- PKI is not particularly complex. It's just bigger than technology.
- PKI has always been the province of technologists. To a technologist, the important
Certification Authority component of PKI is a piece of technology.
- But if you're going to do something more complex than build a tunnel between two
computers who's owners have a business relationship with each other then real public
authority is called for. The Certification Authority is, first and foremost, a facility
where duly constituted public authority is applied to documents and procedures. It's
much like the vital records department in city hall.
- Technology experts consider PKI to be complex because this central element - the
establishment and management of duly constituted public authority - is outside their
4. Reliable identities of users, necessary for effective PKI, have been scarce
- After spending millions of dollars on network security, corporations still have major
- Meanwhile, your ATM card allows your bank to dispense cash with confidence from a
machine on a city sidewalk.
- The technology used by your ATM card is more ancient than the floppy disk.
- So why are bank ATM networks generally secure, while corporate information networks, in
spite of continuous investment in the latest security technology, are barely able to
keep ahead of intruders?
- The difference is not about technology. The difference is about assumptions and
- Your bank's ATM network starts with the premise that knowing who you are is the
foundation of security.
- If a trusted co-worker asked you to share your ATM card and associated PIN, what would
you say? Of course you’d say no, but they wouldn’t even ask in the first place.
- But if that co-worker asked you for your network password, what would you say? In many
companies collaborative work routinely gets done by sharing access credentials, in spite
of rules against it.
5. Attempts at reliable PKI identity have not adequately protected users' privacy
- Once you have created an identity credential that you can use anywhere, how do you keep
nosy organizations from tracking everything you have done with it?
- Some say we have already lost that battle, that everything we do is tracked by a few
powerful organizations, that in fact personal privacy is gone forever.
- Indeed, universal identity done wrong is a threat to personal privacy.
- But there is a very important other side of the coin:
- Done right, universal identity is a fortress of personal privacy, reversing the erosion
of privacy we’ve seen in recent years.
- QEI actually accomplishes that elusive goal, long sought by privacy activists, of
putting people in real control of the disclosure and use of information about
- We invite you to thoroughly examine QEI’s Personal Information Ownership Infrastructure
component to see what we mean
6. PKI has conveyed authenticity without requiring a legitimate source of authenticity.
- How do you convey authenticity without first establishing authenticity?
- PKI has been the domain of technologists. If we regard PKI as a set of excellent
construction materials (which it is) then those who created it are like materials
- Putting well-engineered materials at work requires architects and building inspectors
and others whose professional licenses are issued by public authority and whose actual
reliable identity is attested by vital record department, an agency with duly
constituted public authority.
- QEI ensures that the word “authority” in Certification Authority component of every PKI
actually means something.
7. PKI, when done right, works too well.
- Our computers, operating systems, and application software have been designed to let
their makers help themselves to information about you, your habits, your purchases… your
- QEI puts information about you under your control. Nosy organizations can no longer help
themselves to whatever they want to know about you. That doesn’t make them happy,
despite their proclamations about how much they care about your privacy.
- QEI also calls for digital signatures everywhere, while keeping the personal information
about the signer private. That yields accountability while maintaining privacy—and some
organizations seems to be threatened by the accountability.
- And so those organizations tend to lose the ability to snoop, while being held
accountable for their actions. No wonder they’ve been slow to embrace PKI.
- Some information technology departments have their own reasons for avoiding PKI…
- Organizations avoid PKI because it calls for new
- Imagine telling your receptionist “Please determine the intentions of everyone
who enters the building, and also determine whether they are good or bad
- If you think that’s an unreasonable request, and if you know how a building
works, then you are better prepared to judge information security approaches
than are the information security experts.
- The current practice of information security is mostly about determining the
intentions and character of the sender of a stream of bits.
- Problem: in most cases that is impossible.
- When it is possible, it’s because the intruder lacks skills or funding. In other
words, information security products tend to deter the least threatening
attacks. That renders many information security efforts ineffective or even
useless. They treat your information facilities as a commando outpost, rather
than the online facilities that they really are.
- PKI, if done right, offers something better…
- If you apply reliable identities, building codes, professional accountability
and architecture to PKI, you can build a very secure and effective online office
building where you can keep your confidential information and have your meetings
in quiet confidence.
- Are very old concepts. Information technologists are not used to relying
upon the concepts from the 19th century.
- Involve things that are way outside of what information technologists
are used to judging and managing.
- Imply a complete departure from the examine-the-bit-streams approach to
security. Complete departures can be seen as risky to careers.
- The application of some very old concepts to PKI can make it solve big problems. If
you’re a stockholder in a company with an information technology department, you may
want to call your company’s attention to QEI.
Over the centuries we have learned a lot about how to make our homes secure and reliable.
Let’s see how we can apply that knowledge to those online spaces where we spend more and more
of our time- our information homes if you will…
Suppose your home had been built with secret passageways that you didn’t know about
Suppose that every day, various intruders would enter through those passageways, open your
file cabinets and place files in your folders. Sometimes they’d install devices in your
rooms that would report back to them what you’re up to.
That could never happen in your physical home, of course. City hall’s building codes,
building inspectors and occupancy permits would never permit such an obvious breach of the
principle of quiet enjoyment in our homes.
But in an information home where you spend more and more of your time – your computer or
phone – that’s exactly the way it works. The title files are called “cookies.” (Could they
have chosen a friendlier, less alarming, sneakier word than “cookies”…?)
It’s true, we often let trusted cleaners, childcare people, and neighbors caring for our pets
and others enter our homes when we’re not there.
It’s also true that cookies and automatic software updates in our information homes can be
But what set of ordinances and rules govern the placing of cookies and nosy software in our
And where do we find a city hall to make and enforce them?
And how would we know that those claiming to be trusted friends and service providers are who
they say they are?
Take a look at the answers to these other questions in