Why Public Key Infrastructure (PKI) has failed

There are several reasons PKI has failed, says Peter Tippett, head of the industry solutions and security practice at Verizon Business.

The main reason organisation do not use PKI, he told attendees of RSA Conference 2011, is that it costs too much.

Speaking on a debate on the importance of identity to internet security, he said very few organisations are able to make a business case for spending $200 to $300 per user, per year.

The second main for lack of adoption, he said, is that “end user experience sucks.” According to Tippett, there is nothing to help businesses make using PKI easy.

The third main reason for PKI’s failure, he said, is the tremendous legal liability attached.
If an organisation is found to have done something wrong, they can be sued into oblivion, he said.

Another key reason, he said, is the chicken and egg problem of not having enough applications that use PKI to make a business case for its adoption and roll out of infrastructure to support it, but the lack of adoption and infrastructure inhibiting the development of applications that use it.

As an example, Tippett cited the Beligian smart card ID, where although there are 12 million holders of the cards, less than 20% the card to access online services, and most of those use it only for the government-sponsored online tax application.