Proving Your Identity—Smart Cards and the Sad State of the Art

Twitter Updates

HashTags

#PKNsf
San Francisco PechaKucha Night
#IXDAsf
San Francisco IxDA

Blogroll

I am in the process of updating my vCard to the new 4.0 standard, and decided it was time to once again obtain a digital certificate that I could use to sign and/or encrypt e-mail messages with. And since I have a laptop with a Smart Card reader, I figure it would be great to leverage it for more secure logins, file encryption, and a few other things. The only digital certificate that can do all those things is the ITU’s x.509 public key infrastructure (PKI) standard, which dates from 1988.

There are many reasons why the average person, not just this geek’s geek, would want to do this:

I am in the process of updating my vCard to the new 4.0 standard, and decided it was time to once again obtain a digital certificate that I could use to sign and/or encrypt e-mail messages with. And since I have a laptop with a Smart Card reader, I figure it would be great to leverage it for more secure logins, file encryption, and a few other things. The only digital certificate that can do all those things is the ITU’s x.509 public key infrastructure (PKI) standard, which dates from 1988.

There are many reasons why the average person, not just this geek’s geek, would want to do this:

  • Sign important documents digitally, without having to FAX them (first patented in 1848, with the modern standard first published by the ITU in 1988, coincidentally)
  • Encrypt sensitive work-related e-mail
  • Make secure payments on-line and in-person, avoiding the inherent insecurity of a standard credit card
  • Providing a more reliable method for logging in to web sites (so that we mere mortals with imperfect memories don’t have to choose between insecure and hard-to-remember passwords)

But there is no off-the-shelf way for me to easily and quickly obtain and use such a certificate. Oh, I can do it, and will do it, but doing so will mean navigating an unpleasant labyrinth without a decent map.

So why, after nearly a quarter-century after this standard was first published, is PKI so hard and confusing to use a decade into the 21st century? There is no one answer, but there are several whose confluence shows us a path forward.

  1. Because it’s really, really, really hard.
  2. The standard was developed by computer engineers and mathematicians who don’t think like the rest of us.
  3. It was developed far before the modern age of design thinking and research that has taught us how to design technology that is easier to use.
  4. Because Steve Jobs didn’t seem to care about it.

Number 1 is an understatement, to say the least. Reading the above Wikipedia article will give you just a taste of the problems, and the topic of my next post. The most fundamental difficulty is the difficulty in defining what an individual is in a way that a computer can understand, but that another individual cannot duplicate.

Number 2 is best exemplified by this quote from the Wikipedia article on X.509:

“The X.509 specification suffers from being over-functional and underspecified and the normative information is spread across many documents from different standardization bodies.”

Solving number 3 may or may not be possible with X.509. I’ll explore this issue in a future post.

I present number 4 with my tongue only partly in my cheek. So many of the best-designed things have been created or led by one person with a strong passion and vision for creating elegant things. In this case, not one of the major technology companies, nor any individual public figure in technology has made it their mission to create a scheme that was both secure and easy enough to be used by the average person.

Author: Peter Sheerin

Peter Sheerin is best known for the decade he spent as the Technical Editor of CADENCE magazine, where he was the acknowledged expert in Computer-Aided Design hardware and software. He has a long-standing passion for improving usability of software, hardware, and everyday objects that is always interwoven in his articles. Peter is available for freelance technical writing and product reviews, and is exploring career opportunities in interaction design. His pet personal project is exploring the best ways to harmonize visual, tactile, and audible symbols for improving the effectiveness of alerting systems.

Leave a Reply