Soon all you'll need is a small plastic card

The concept of digital identity has moved on so far that PKI is fast becoming outmoded

The concept of digital identity has moved on so far that PKI is fast becoming outmoded

A recent roundtable discussion at the Infosecurity show in London underlined how far the concept of digital identity has come, and how much the original concept of a public key infrastructure (PKI) is becoming outmoded.

PKI is still relevant, but only as a supporting technology. No one in their right mind should sell one by that name, nor should any user think of buying "simply a PKI", without thinking what e-business applications it should support.

A string of companies have tried - unsuccessfully - to flog the concept, only for users to complain that it's expensive and difficult to do.

Companies are not any less aware of security and what digital certificates can do. But they don't want to fork out millions for a technology they don't understand - especially when they hear of users who have "bought a PKI" but who have yet to find a proper application with which to use it.

The roundtable hosted by E-Business Review, Computer Weekly's sister title, was discussing the idea of "digital identities" to securely identify employees. It emerged that two users - Lloyds TSB and BT Ignite - are already some way down the track towards using smartcards to deliver business services.

According to Eric Tocatlian of the French firm Activ Card, chips embedded in plastic cards are the next generation of the PC. It's no longer "the network is the computer" but "you are the network and the computer, because you have the card in your hand".

Tocatlian likens using smartcards for digital identity - for example, logging on to remote locations - to using a bank automated teller machine card, and just as secure.

Lloyds TSB's embrace of digital identity for a smartcard-based - and thus PKI enabled - banking service is intended to give its business customers confidence in the larger sums that they would be committing online.

According to Dave Callington from Lloyds TSB, which is working with Activ Card, Schlumberger and Entrust, the challenge is to get businesses to understand it fully and help them to adopt something new.

It is a similar story at BT Ignite, which is investigating secure access with the generation of digital certificates stored on a smartcard. It has learned from piloting a digital ID system for employees and business customers that customer and employee-level issues are very important.

Users will always forget passwords or lose their card, no matter what identity system is put in place. Now, it believes it has the right system: users can choose their password, which is kept for the life of the card. If the card is lost, both the password and the database are revoked.

Steve Brown of BT Ignite says the trial has already shown cost and maintenance savings, with the number of enquiries and problems starting to fall away.

Even those that would sell you "simply a PKI" before, would hesitate now. Ian Walker of Entrust Technologies told the roundtable, "The age of PKI is dead. It's not about PKI, but the solution and the system. What's important is how it solves problems."

Many users have been put off by its complications. Even interoperability, which has become a buzzword whenever PKI is mentioned, can be over-egged.

Alan Liddle, of the security consultancy Trustis, one of the few companies which have consistently insisted that without applications, the PKI market has little future, suggests that "interoperability over-concerns people. The technology is now at a point where it can manage just about everything the business requires."

So, as we go into a global economic downturn, I wonder how many users are going to commit to spending money on a system they don't understand, for digital certificates they may never use.

And how long will it be before some of those grander, over-arching PKI-based security schemes that were conceived a few years ago, really start to deliver?

David Bicknell
[email protected]

Read more on Antivirus, firewall and IDS products