CFP: PKI research workshop

Ray Dillinger bear at
Wed Dec 26 14:03:31 EST 2001

On Wed, 26 Dec 2001, Carl Ellison wrote:

>	if you look at PKI as a financial mechanism (like credit cards),
>then I see two major problems:
>1.	the PKI vendors aren't financial institutions, so they aren't in a
>position to assume risk and make money from that

Yep.  So far, that's true.  Financial stuff is the only killer app
in sight for a PKI, and the financial services sector is conservative
and heavily regulated.  There is a substantial barrier to entry: just
try to imagine running off a few thousand PKI-backed credit cards and
going into business competing against mastercard/visa/amex.  Vendor
acceptance is slow and the regulatory hurdles are high.

>2.	the current PKI thinking (e.g., with "rebuttable presumption of
>non-repudiation") is anti-consumer, when viewed as a financial
>mechanism, and I can't imagine that succeeding even if the vendors
>were banks.

Oh, I can.  If it's any good, you ought to be able to offer cards
with lower interest rates/fees, and people will go for that. The
whole idea of PKI in financial services after all, is to reduce
the amortized cost of transactions by reducing fraud.  If there's
a significant cost savings, you make more money even if you pass
part of it on to the consumers.

But nobody wants to be the first -- they all want to be able to look
at the business case built by some "bleeding-edge" financial-services
company that adopted and deployed PKI-based infrastructure in some
market and got measurable results, and they all want any and all
kinks in the technology to get worked out by someone else before
they touch it.  In financial services, they want mature technology
that's cheap and reliable to produce and use -- and they will roll
their own in order to make it cheaper instead of paying some "outside"
PKI company.

That's happening now, in fits and starts, with various
products internationally and in various closed markets.  If the
business case is good, the financial services companies will be
starting to pick it up for more mainstream use in a few years.

Odds are, however, that each and every one of them is going to want
their own PKI -- where P stands for Private, or Proprietary, rather
than Public.  A Public Key Infrastructure happens when the chaotic
situation which that brings about gets consolidated and standardized,
so don't look for that for at least a decade.  Basically we have no
chance of getting a Public Key Infrastructure in place right now
because we don't have enough different Private Key Infrastructures
in place for it to have started to hurt yet.  People won't go for
the PKI until they are in some kind of pain that it relieves. And
if financial services businesses are involved, they will do it in
such a way that no PKI vendor ever makes a profit they could possibly
have made themselves.  Look for them to be buying regulations that say
PKI is part of financial services and can only be provided by licensed
financial services corporations sometime in the next few years.

Like I said, don't get too discouraged -- these things happen slowly
and it's very much a matter of stages of development.  People don't
do things until the pain of not doing them gets worse than the pain
of doing them.  Public Key comes about when Private Keys have been
common for several years and their multiplicity causes pain.  That
in itself will take several years after the Private Key structures
are fully adopted. The Private Key structures get adopted several
years after the profit margins, split between consumers, vendors, and
financial institutions, each overcome the pain of changing infrastructure.
That will take several years after the initial offering.  The initial
offerings are happening now in very restricted markets, but don't
look for it to happen in domestic consumer markets until the results
of the restricted-market offerings are several years old and the
technology involved hasn't changed AT ALL for several years. They
are looking for a technology that's been in use long enough to
establish a baseline and get results that look stable and repeatable.
That's when financial services companies will begin to take them
seriously enough to consider that the pain of deploying new
infrastructure may overcome the painof absorbing losses due to

These are just network effects: PKI will trickle through at the end
as surely as water runs downhill, because it's a better solution.
It's just going to take a decade or two, or maybe four or five
decades if there's a substantial monopoly somewhere in the industry.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list