Jon Udell: PKI and SSL: house of cards?

Jon's Radio : Jon Udell's Radio Blog

Updated: 8/6/2002; 12:30:49 AM.

Note: Jon's Radio has moved to InfoWorld

Tuesday, May 14, 2002

PKI and SSL: house of cards?

Richard Forno, chief security officer for ShadowLogic, takes a dim view of the PKI industry. "Digital trust is a slick marketing tool put out by the PKI industry. DoD wants smartcards with certs by 2004. What's the value of that? I don't know. They don't know."

After contributing to an article on these issues, he thought more about the implications of the MS/VeriSign cert compromise:

On March 22, 2001, Microsoft issued a Security Bulletin (MS01-017) alerting the Internet community that two digital certificates were issued in Microsoft's name by VeriSign (the largest Digital Certificate company) to an individual -- an impostor -- not associated with Microsoft. Instantaneously, VeriSign (a self-proclaimed "Internet Trust Company") and the entire concept of Public Key Infrastructure (PKI) and digital certificates -- an industry and service based on implicit trust -- became the focus of an incident seriously undermining its level of trustworthiness. This incident also challenges the overall value of digital certificates.

Forno agrees with Schneier: If you don't address processes and people, you have no security. For example, a notary only verifies the signature on a document, not its contents. So the real-world trust invested by them is unreliable. Garbage in, garbage out. You don't need to be a cyberterrorist to take advantage of this. You can be a Nigerian scam artist.

Why, he asks, don't certs work like credit cards? Why don't they expire (in a timely fashion)? Passports and drivers licenses expire in a few years. Root certs expire in 2025, 2028, 2037. (True. I just checked my MS root certificate: expires 2020.)

Why, he asks, would you trust a 5-year-old dot-com with your identity, rather than a brick-and-mortar financial institution like CitiBank? Most people, he says, would rather trust the latter. The Digital Identity weblog made this same point recently.

Forno recommends: Ellison and Schneier's Ten Risks of PKI.

Well, it's all true. PKI and SSL do not add up to an e-commerce silver bullet. There isn't one. Every day, credit card numbers shielded by high-grade security land in web-exposed flat files that Google can find. As Bruce Schneier likes to say, it's the liability limit on Visa cards and not SSL that props up e-commerce.

Will this chicken-and-egg situation ever resolve? I guess I'll keep on signing my emails anyway.

8:15:12 PM

Broad-spectrum natural language processing

Microsoft's Rick Rashid is talking about broad-spectrum natural language processing. In terms of voice recognition, Asian languages have crossed the threshold where voice beats typing as a mode of input. Not yet true for English yet, he admits.

But there's more natural-languages smarts in Office than we might suspect, Rashid says. Inside the office grammar checker, there's deep parsing of text. This information is extractable, Rashid says. You can ask the DLL to give you a parse tree, and can look at deep structure: subject, object. I'd like to see that!

Next there's the issue of data-mining large bodies of text. Rashid demos the AskMSR system. It knows when Abe Lincoln was born (adjusting for wrong answers on some web pages). It knows that the answer to everything is 42.
4:24:34 PM

Arrived at ETCON. Brand new Linksys WiFi card. Endured razzing from Doc Searls and Dan Gillmor in the pressroom ("our Macs don't care about the SSID"). The card immediately updated its own firmware, which seemed cool until I noticed that the version numbers on the Old Firmware were higher than the version numbers on the New Firmware.

Now all we need is wireless power. Too bad they all made fun of Tesla.
6:40:04 PM