About Authenticity

1.It omits the vital component.

By definition PKI cannot exist without private keys.But its name and specifications do not include them.
This is truly odd.
One of the twelve components of the Quiet Enjoyment infrastructuire is its Private Key Infrastructure.

2. PKI terminology can be bizarre.

pki experts have gotten used to saying things like "the user signs the file with his certicate..."
now the poor newcomer who has heard that PKI is good stuff and is trying to understand how it works is left scratching her head...

The term "certificate" refers to both a signed public key and to a certicate plus its corresponding private key.

Suppose you were being introduced to fruit science.

you:What is this?
Fruit scientist: It's an apple.
You:Tell me more about this thing called an apple.
Fruit scientist: An apple is an apple plus an orange.
Fruit scientist:So what do you think of fruit science so far?
You:i think I'm outta here.

Remember being introduced in middle school to a useful type of number called an "imaginary number"?
if you could get your beautiful mind around that then"a certificate is a certificate plus its private key"should present no problems for you.

For the rest of us a certificate ,whether digital or on paper, is an assertion that is signed by an authority, and the pen that signs the certificate is not part of the certificate.
In QEI the thing that signs the certicate is called a PEN (of all things).
The fact that this needed to be clarified says a lot about why PKI has been slow to gain traction. Of all the gobbledygook in information technology, this managing of the term "certificate" is among the worst!

*personal Endorsment Number, if you must know

3 .PKI has developed a reputation for being brilliant but too complex for practical deployment.

Now wait.Every time you go to a secure web page, you know,with the little lock icon and address that starts with ,you are using PKI.
You don't need to understand exponentiation in modular arithmetiv to do your online babking.This undeployability stuff is nonsense.

The good news is that your browser and email prohgram and other software are set up to use PKI.
THE Not so good news .The QEI community is stepping forward to guide you through the gotchas,particularly when it comes to establishing and using your own identity certificate.We dont't care how obtuse your software is,we'll get you signing and encrypting.

We tear our hair out so you dint't have to...


But there's another reason why PKKI has gained this
undeserved reoutation for complexity.

PKI is not particularly complex.

It's just bigger than technology.

PKI has always the province of technologists.To a technologist, the important Certification Authority component of PKI is a piece of technology.

But if your're to do something more complex than build a tunnel between two computers whose owners have a business relationshio with each other than real public authority is called for. The Certification Authority is, first and foremost, a facility where duly constituted public authority is applied to document and procedures. It's much like the vital records department in city hall.
Technology experts consider PKI to be complex because this central element-the establishment and management of duly constituted public authority is outside their expertise.

4. Reliable identities of user, necessary for effective PKI, have been scarce

After spending milliions of dollars on network security, corporations still have major security problems.
Meanwhile, your ATM card allows your bank to dispence cash with confidence from a machine on a city sidewalk.

The technology used by your ATM card is more ancient than the floppy disk.
so why are bank ATM networks generally secure, while corporate information networks, in spite of continous investment in the latest security technology, are barely able to keep ahead of intruders?
The difference is not about technology. The difference is about assumptions and architecture.

Your bank's ATM network starts with the premise that knowing who you are is the foundation of security.
If a trusted ci-worker asked you to share your ATM card and associated PIN, what would you say? Of course, they would never ask in the first place. If that co-worker asked you for your network password, what would you say? In many companies, collaborative work gets done by sharing access credentials, in spite of rules against it.
Identity is the foundation of Security. QEI makes information resources secure -- and manageable:
1.throught establishment of measurably reliable identities and
2.by bydesigning and building online spaces upon a foundation ofreliable identity, ATM, and Indoor standards and practices.
Bank ATM cards and networks have i fact developed some technology-based provkems lately. Click here to learn how PKI is solving those problems in some countries.

QEI includes detailed procedures for enrolling individuals either face-to-face or online. The resulting credential is accompained by a record showing its reliability-without disclosing any personal information.
The credential takes the form of a digital identity certificate, which is very much like the site certificates that secure sites whose address starts with https://. The certificate may be kept in the uesr's computer or, preferably, in a smart card, USB token, phone, watch, ring, or other device that is separatge from the computer.
Most importantly, the credential is designed to be used to establish identity anywhere, including places where it gives access to the user's money, reputation, relationships and other assets. For the employer, healthcare provider, bank or other relying party, that means it will be well protected by its owner.

5. Attempts at reliable PKI identity have not adequately protected users' privacy.

Once you've created an identity credential that you can use anywhere, how do you keep nosy organizations from tracking everything you've done with it?
Some say we're already lost that battle, that everything we do is tracked by a few powerful organizations, that in fact personal privacy is gone forever.
Indeed, universal identity done wrong is a threat to personal privacy.
But there is very important other side of that coin:

Done right, universal identity is fortress of personal Privacy, reversing the erosion of privacy we've seen in recent years.
QEI actually accomplishes that elusive goal, long sought by privacy activitsts, of putting people in real control of the disclosure and use of information about themselves.
We invite you to thoroughly examine QEI's personal Information Ownership Infrastructure component to see what we mean.

6.PKI has conveyed authenticity without requiring a legitimate source of authenticity.

How do you convey authenticity without first establishing authenticity?
PKI has been the domain of technologists. If we regard PKI as a set if excelent construction materials (Which it is) then those woo created it are like materials scientists.
Putting wekk-egineered materials to work requires architects and building insoectors and others whose professional licenses are issued by public authority and whose actual identity is attested by a vital records department, an agency withy duly constituted public authority.
QEI ensures that the word "authority" in the Certification Authority component of every PKI actually means something.

7. PKI deployments have tried to replace signatures of people with signatures of objects. That does not work.

It's true objects are much easier and less costly to manage than people. You tell an object what to do, it does it.
But PKI is an authenticity conveyance infrastructure. It's an accountability infrastructure.
Exatly how to you make an object accountable in any meaningful way?

8. PKI, when done right, works to well.

Our computers, operating systems, and application software have been designed to let their akers help themselves to information about you, your habits, your purchases.. your life.
QEI puts information about you under your control. Nosy organizations can no longer help themselves to whatever they want to knpw about you. That doesn't make them happy. despite their proclamations about how much they care about your privacy.

QEI also calls for digital signatures everywhere, while keeping personal information about the signer private. That yields accountability while maintaining privacy -- and some organizations seem to be threatened by accountability. And so those organizations will tend to lose the ability to snoop, while being held accountable for their actions. No wonder they've been slow to embrace PKI.
Some information technology departments have their own reasons for avoiding PKI...

Organizations avoid PKI because it calls for new assumptions.

Imagine telling your receptionist, "Please determine the intentions of everyone who enters the building, and also determine whether they are good or bad people."
If you think that's an unreasonable request, and if you know how a building works, then you are better prepared to judge information security approaches than are the information security experts.
The current practice of information security is mostly about determining the intentions and character of the sender of a stream of bits.
Problem: in most cases that is impossible.

When it is possible, it's because the intruder lacks skills or funding. In other words, information security products tend to deter the least threatening attacks. That renders many information security efforts ineffective or even useless. They treat your information facilities as a commando outpost, rather than the online office facilities that they really are.

PKI, if done right, offers something better...

If you apply reliable identities, building codes, professional accountability and architecture to PKI, you can build a very secure and effective online office building where you can keep your confidential information and have your meeting in quiet confidence.
these
*are very old concepts, information technologists are not used to relying upon concepts form the 19th century.
*involve things that are way outside of what information technologists are used to judging and managing
*imply a complete departure form the examine-the-bit-streams approach to security. Complete departures can be seen as risky to careers.
The application of some very old concepts to PKI can make it solve big problems. If you're a stockholder in a with an information technology department, you may want to show this message to the CEO.