PKI: Only Mostly Dead

R. A. Hettinga rah at
Tue May 28 18:13:21 EDT 2002

CIO Magazine

Only Mostly Dead

By Scott Berinato

RIP PKI. Why a security platform never took off
PKI is dead. Mercifully. PKI arrived as a gimpy pony in the first place,
and by now we are pretty tired of beating a dead horse.

If you think it seems naive to summarily dismiss an entire platform, I
would agree. Writing its obit wasn't my idea. It was a leading PKI vendor's

Before we get to that, let's step back. As complex as Public Key
Infrastructure is, the theory is sound. Crudely, it's customs for Internet
transactions. The "passports" are digital certificates. A trusted third
party, a Certificate Authority, publishes half of that passport as a public
key. You keep the other half, the private key. To make a transaction, match
the private and public keys. When it works, PKI really works.

It's just that it rarely works. "Experts say the promise of PKI is real but
that challenges remain." This was from a news item last week, but it might
as well have been from 1997. The truth is, PKI is terminally promising.
Every year since 1997 has been the "year of PKI." It has been called a
"silver bullet" and a "guarantee" for secure online commerce. In 1997 it
was called "high-tech bug spray" to stop "viral warfare." When that didn't
work, it became the safest way to shop online in 1999. When that didn't
work, it became perfect for the wireless market in 2000. PKI is always just
about to revolutionize electronic transactions somewhere.

It never does. For two reasons.

First, vendors, in typically greedy fashion, refused to create standards,
so that as recently as last week, an engineer was wondering why one
vendor's digital certificates crashed another vendor's e-mail program.
Second, vendors, in typically greedy fashion, skewed the business model for
PKI to generate large chunks of revenue up front, before the systems even
worked, by making CIOs buy stockpiles of digital certificates-something
like a camera company making you buy 1,000 rolls of film before you get a

So while the concept behind PKI was appealing, everything else about it was
shoddy. Vendors approached PKI arrogantly and CIOs approached it
ignorantly. This worked during the bubble years because everyone could
afford their respective approach. PKI was the prototypical Internet boom

Then the boom ended. CIOs' sudden necessity to think before they spent
meant PKI went from a weak blip on radar screens to no blip at all. The
spending crash didn't just humble PKI vendors, it humiliated them. They
reported massive losses and layoffs. They couldn't sell a cup of coffee,
let alone a technology platform that was so complex you needed a glossary
to navigate its arcana.

Entrust is the PKI vendor that suggested PKI has gone flatline, when they
visited us here at CIO. Don't go looking for the PKI TLA (three-letter
acronym) on its Web page. And don't ask about Entrust's PKI products.
Entrust deliberately eliminated the term about a year ago, when the company
was forced to reinvent itself.

Normally, I don't trust vendors when they come here talking about
renaissances, and I'm still not convinced about Entrust's latest reform.
Repositioning usually equals desperation. So I'm staying bearish on PKI, or
whatever the vendors call it now.

Nonetheless Entrust has made some deft choices post-boom. It stopped trying
to land enterprisewide PKI deployments and now focuses on smaller projects
in vertical markets. In other words, the company has foregone huge-revenue
projects with a high chance of failure for modest-revenue projects with a
lower chance of failure.

Even more impressive, Entrust hired Ed Pillman as a senior vice president.
Pillman used to be the CIO of Nortel Networks (the company Entrust was spun
out from). In other words, PKI's target customer. It's clear Entrust's
reinvention has a lot to do with Pillman's telling executives ugly truths
about why he wouldn't touch PKI as a customer. You get the sense Pillman
enjoyed forcing medicine down their throats. To their credit, Entrust
executives accepted it.

And now, Entrust is growing. It has more customers than ever, and last
quarter the company lost 5 cents per share, compared to a loss of 35 cents
per share a year ago.

Which means PKI is still dead, but maybe not quite as dead as before.
Imagine if they had asked a CIO, you know, one of their customers, how to
make PKI work a long time ago.

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list