Proving Your Identity—Smart Cards and the Sad State of the Art
I am in the process of updating my vCard to the new 4.0 standard, and decided it was time to once again obtain a digital certificate that I could use to sign and/or encrypt e-mail messages with. And since I have a laptop with a Smart Card reader, I figure it would be great to leverage it for more secure logins, file encryption, and a few other things. The only digital certificate that can do all those things is the ITU’s x.509 public key infrastructure (PKI) standard, which dates from 1988.
There are many reasons why the average person, not just this geek’s geek, would want to do this:
I am in the process of updating my vCard to the new 4.0 standard, and decided it was time to once again obtain a digital certificate that I could use to sign and/or encrypt e-mail messages with. And since I have a laptop with a Smart Card reader, I figure it would be great to leverage it for more secure logins, file encryption, and a few other things. The only digital certificate that can do all those things is the ITU’s x.509 public key infrastructure (PKI) standard, which dates from 1988.
There are many reasons why the average person, not just this geek’s geek, would want to do this:
- Sign important documents digitally, without having to FAX them (first patented in 1848, with the modern standard first published by the ITU in 1988, coincidentally)
- Encrypt sensitive work-related e-mail
- Make secure payments on-line and in-person, avoiding the inherent insecurity of a standard credit card
- Providing a more reliable method for logging in to web sites (so that we mere mortals with imperfect memories don’t have to choose between insecure and hard-to-remember passwords)
But there is no off-the-shelf way for me to easily and quickly obtain and use such a certificate. Oh, I can do it, and will do it, but doing so will mean navigating an unpleasant labyrinth without a decent map.
So why, after nearly a quarter-century after this standard was first published, is PKI so hard and confusing to use a decade into the 21st century? There is no one answer, but there are several whose confluence shows us a path forward.
- Because it’s really, really, really hard.
- The standard was developed by computer engineers and mathematicians who don’t think like the rest of us.
- It was developed far before the modern age of design thinking and research that has taught us how to design technology that is easier to use.
- Because Steve Jobs didn’t seem to care about it.
Number 1 is an understatement, to say the least. Reading the above Wikipedia article will give you just a taste of the problems, and the topic of my next post. The most fundamental difficulty is the difficulty in defining what an individual is in a way that a computer can understand, but that another individual cannot duplicate.
Number 2 is best exemplified by this quote from the Wikipedia article on X.509:
“The X.509 specification suffers from being over-functional and underspecified and the normative information is spread across many documents from different standardization bodies.â€
Solving number 3 may or may not be possible with X.509. I’ll explore this issue in a future post.
I present number 4 with my tongue only partly in my cheek. So many of the best-designed things have been created or led by one person with a strong passion and vision for creating elegant things. In this case, not one of the major technology companies, nor any individual public figure in technology has made it their mission to create a scheme that was both secure and easy enough to be used by the average person.
