Suppliers of public key infrastructure technology (PKI) are facing a market shakeout as users shun their marketing message.
Suppliers such as RSA, Entrust, Baltimore Technologies - which recently bought another supplier, GTE Cybertrust - have all struggled to convince commercial users that they need security architecture based in digital certificates.
Some have started to change their marketing strategy to focus on the need for a "trust infrastructure" rather than selling a PKI. But "trust" too has become a difficult concept for users to grasp.
Users who have bought an expensive, proprietary PKI technology are beginning to reject the digital certificate-based approach, because they believe that - for the time being - they do not need it.
Security specialists such as Inter Clear and Trustis are ignoring the "PKI sell" in favour of solely discussing business requirements with clients.
Inter Clear, which is a specialist in PKI outsourcing, now discusses security with users in terms of "risk management", and warns against users losing control of their own security infrastructure.
"When implementing a PKI, organisations must be wary of having their e-business strategy dictated to them by PKI technology or a supplier's procedures," it said.
"They must ensure that they remain in control of who issues, owns and manages the rules under which digital certificates are used within a PKI."
Trustis technical director Alan Liddle said, "We still have users telling us they want a PKI, and we have had to tell them: 'PKI might be a good idea, but not just yet.'
"A lot of it has been oversold. Large, all-embracing PKIs are difficult to build. You might even be better off integrating five PKIs for different divisions, rather than one large one," he said.
Liddle offers the following advice for IT directors facing a PKI-sell from suppliers:
This was first published in March 2000