Privacy & Security

The Limitations of Traditional PKIs for Delivering the Customer Identity Management Solution Enterprises Urgently Need

Public key infrastructures (PKIs) cover all elements of establishing and managing public key encryption, currently the foundational form of encryption used to communicate securely on the Internet and within organizations.  

Public key encryption includes generating, exchanging, storing, using, destroying, and replacing keys, plus the procedures and protocols around those functions.  

PKIs enable trustworthy communications between users and systems. Successfully managing the cryptographic keys in a cryptosystem is essential to the security of that cryptosystem. 

Traditional PKI systems and even proprietary successors have significant challenges in deployment, particularly for the user, which restrict the business value they can offer enterprises. Indeed, traditional PKIs promised to deliver a raft of business benefits but have fallen well short. Today, these systems do provide for enhanced security capabilities, such as strong authentication, key distribution and communication security, but they’re not fully delivering the identity management, privacy, and security that was promised and that enterprise urgently need.

The Limitations of Traditional PKIs 

Public key management on the Internet has a long history. The ubiquitous use of SSL/TLS  for the web has been a significant success story. Using public key cryptography, a user can authenticate the web server that their browser is accessing and implement subsequent key exchange for strong confidentiality and integrity protection of the communications between browser and web server.  

But managing the public keys to support this environment is a complex project: 

  • It requires a hierarchical set of Certificate Authorities, with web servers creating public/private keys and then requesting signed Certificates from trusted Certificate Authorities.   
  • Browsers are required to store up-to-date lists of trusted Certificate Authorities. 
  • Occasionally the security of the system is exposed when those Certificate Authorities are compromised. Responses to that compromise include out of band mechanisms such as Certificate Transparency systems. 

Extending the use of public key cryptography to the user and their devices is also desired, but uptake is currently low. New initiatives, such as the WebAuthn protocol, are encouraging adoption. A user carries a device with a private/public key pair that can be used to register and authenticate the user to the web server. The advantage for the web server is strong user authentication, while the advantage for the user is ease of use and convenience from password-less authentication. 

There are other examples of public key cryptography extending to the user, including secure email such as PGP and S/MIME. One uses a ‘web of trust’ model for managing public keys, and the other a more traditional public key management approach. But neither has seen widespread adoption. 

Even proprietary public key management solutions have their limitations in that they offer innovative alternatives to E2E cryptographic requirements, but still fall short of holistically addressing identity, security, and privacy issues.  

Decentralized Identity Delivers Where Traditional PKIs Don’t 

There’s no doubt the future for privacy and security online lies in emerging and existing decentralized identity technologies, and businesses that recognize and seize the opportunity to use decentralized identity will put themselves at a massive competitive advantage because they’ll have a holistic solution encompassing identity, security and privacy.  

Providing an implementation of Decentralized Public Key Infrastructure (DPKI), decentralized identity creates digital identities completely owned and controlled by the user. It gives users control over their personal data, gives these identities the verifiable assurance of blockchain technologies, and enables users to make assertions about their data (e.g. I’m over 21) without revealing the actual data itself (e.g. birthdate:  1 Jan 1970).  

As such, decentralized identity delivers a scalable trust ecosystem based on industry standards which enables end-to-end encrypted data exchange and decentralized identity management. It reduces the need for centralized data stores to the absolute minimum and also reduces the compliance burden in managing that data, drastically reduces system vulnerability to data breach and abuse, is easier and more convenient for customers, generates human trust in the system, and opens up exciting business opportunities not possible with traditional approaches.  

The future looks bright.