Conventional Public Key Infrastructure: An Artefact Ill-Fitted to the Needs of the Information Society

It has been conventional wisdom that, for e-commerce to fulfil its potential, each party to a transaction must be confident about the identity of the others. Digital signature technology, based on public key cryptography, has been claimed as the appropriate means of achieving this aim. Digital signatures do little, however, unless a substantial ’public key infrastructure’ (PKI) is in place to provide a basis for believing that the signature means something of significance to the relying party. Conventional PKI, built around ISO standard X.509, has been, and will continue to be, a substantial failure. This paper examines that form of PKI architecture, and concludes that the reason for its failure is its very poor fit to the real needs of cyberspace participants. Its key deficiencies are its inherently hierarchical and authoritarian nature, its unreasonable presumptions about the security of private keys, a range of other technical and implementation defects, confusions about what it is that a certificate actually provides assurance about, and its inherent privacy-invasiveness. Alternatives to conventional PKI are identified.