PKI's alive and kicking

A 1991 college computer-networking class almost stymied my vocational momentum.

The professor, a genuinely keen and knowledgeable fellow, spent much time explaining the most important family of network protocols that we aspiring careerists workers would ever need to know: OSI (Open Systems Interconnection, the seven-layer chocolate cake).

One day, we briefly touched on an inelegant and accidental legacy protocol called TCP/IP, or Transmission Control Protocol/Internet Protocol. TCP/IP was practically dead.

The days of buying specific security technologies (like PKI or symmetric keys or passwords or secure tokens) are mostly over.

OSI was destined to eclipse and then replace it in the very near future. The experts had agreed: TCP/IP was insufficiently chocolaty.

By 1993, TCP/IP was clearly gripped in death throes. Over the next 10 years, it grew by about 13,000 percent. Along the way, people figured out how to implement the more useful and attractive OSI concepts on top of TCP/IP. There are several other ways to measure the growth of the Internet, but the general consensus is that an upward trend is clearly visible. Meanwhile, OSI became best known as the ticker symbol for a steakhouse.

A couple years later, as TCP/IP's health continued its precipitous nondeterioration, another technology conflict loomed large. The world's microprocessor manufacturers had chosen sides in the great RISC (reduced instruction set computing) vs. CISC (complex instruction set computing) architecture war.

Apple and Motorola (new, small, simple, cheap, RISC-oriented) had taken on Intel (traditional, big, complex, expensive, CISC-oriented). IBM had a toe in both bathtubs.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Billions of dollars and the future of life as we know it was at stake. One of these technologies would die; the other would rule the chip world. Analyst reports were written. Bar bets were made. I considered buying stock.

Do you remember who won? Most people don't; it wasn't much of a bang.

Basically, both sides took good ideas from the other, and successive generations of chips blurred the distinction until RISC/CISC was no longer an interesting way for central processing unit engineers to talk about chip design. Sometime later, the experts stopped talking as well.

The modern-day moral equivalent of this situation: digital certificates vs. the public key infrastructure, or PKI.

Over the past few years, fortunes have been made and lost--mostly lost--in the PKI markets, and experts are sharply divided about the health of the industry. On the one hand, many of the hardest problems associated with PKI are being cleanly solved by persistent and/or innovative vendors.

Once, PKI was hyped as an almost magical solution to almost every IT problem. Then reality set in.

On the other hand, historically common failures have left many information technology organizations with a bad taste in their mouths, and user adoption continues to lag.

Once, PKI was hyped as an almost magical solution to almost every IT problem. Then reality set in. The good news is that the PKI debate is quickly fading away, as customers stop focusing on technology and start focusing on specific applications. When VeriSign's certificate infrastructure went down for a day last month due to an unexpected validation problem, many people suddenly realized how surprisingly common digital certificates had become.

Numerous Web browsers, Java applications, antivirus packages, virtual private networks and document systems slowed to a crawl or stopped working entirely. The problem was resolved fairly quickly, but any illusions that digital certificates were exotic or uncommon were quickly dispelled. As strong security and authentication become increasingly important over the next few years, more and more applications will quietly incorporate digital certificates and PKI concepts into their core functionality.

Combined with the best ideas of more traditional security approaches and large-scale programs currently issuing millions of certificates to individual users (like the U.S. military's Common Access Card), these applications will deliver significant security and convenience improvements to many everyday computing tasks.

The days of buying specific security technologies (like PKI or symmetric keys or passwords or secure tokens) are mostly over. The days of buying secure applications are here today. It's time to put this debate behind us and start building real solutions for real security requirements.