Reports of PKI death, greatly exaggerated
A 1991 college computer networking class almost stymied my vocational momentum. The professor, a genuinely keen and knowledgeable fellow, spent much time on the most important family of network protocols that we aspiring careerists workers would ever need to know: OSI (Open Systems Interconnect – the “seven layer chocolate cake”). One day, we briefly touched on an inelegant and accidental legacy protocol called TCP/IP. TCP/IP was practically dead. OSI was destined to eclipse and then replace it in the very near future. The experts had agreed: TCP/IP was insufficiently chocolaty.
By 1993, TCP/IP was clearly gripped in death throes. Over the next 10 years it grew by about 13,000%. Along the way, people figured out how to implement the more useful and attractive OSI concepts on top of TCP/IP. There are several other ways to measure the growth of the Internet, but the general consensus is that an upward trend is clearly visible. Meanwhile, OSI became a steakhouse.
A couple of years later, as TCP/IP’s health continued its precipitous non-deterioration, another technology conflict loomed large. The world’s microprocessor manufacturers had chosen sides in the great RISC vs. CISC architecture war. Apple and Motorola (new, small, simple, cheap RISC) had taken on Intel (traditional, big, complex, expensive CISC). IBM had a toe in both bathtubs. Billions of dollars and the future of life as we know it was at stake. One of these technologies would die; the other would rule the chip world. Analyst reports were written. Bar bets were made. I considered buying stock.
Do you remember who won? Most people don’t - it wasn’t much of a bang. Basically, both sides took good ideas from the other and successive generations of chips blurred the distinction until RISC/CISC wasn’t an interesting way for CPU engineers to talk about chip design anymore. Sometime later, the experts stopped talking as well.
The modern-day moral equivalent are digital certificates and Public Key Infrastructure (PKI). Over the past few years, fortunes have been made and lost (mostly lost) in the PKI markets and experts are sharply divided about the health of the industry. On the one hand, many of the hardest problems associated with PKI are being cleanly solved by persistent and/or innovative vendors. On the other hand, historically common failures have left many IT organizations with a bad taste in their mouths and user adoption continues to lag. Once, PKI was hyped as an almost magical solution to almost every IT problem. Then reality set in.
The good news is that the PKI debate is quickly fading away as customers stop focusing on technology and start focusing on specific applications. When Verisign’s certificate infrastructure went down for a day last month due to an unexpected validation problem, many people suddenly realized how surprisingly common digital certificates had become. Numerous web browsers, Java applications, antivirus packages, VPNs and document systems slowed to a crawl or stopped working entirely. The problem was resolved fairly quickly, but any illusions that digital certificates were exotic or uncommon were quickly dispelled. As strong security and authentication become increasingly important over the next few years, more and more applications will quietly incorporate digital certificates and PKI concepts into their core functionality. Combined with the best ideas of more traditional security approaches and large scale programs that are currently issuing millions of certificates to individual users (like the U.S. military’s Common Access Card), these applications will deliver significant security and convenience improvements to many everyday computing tasks. The days of buying specific security technologies (like PKI or symmetric keys or passwords or secure tokens) are mostly over. The days of buying secure applications are here today. Let’s put this debate behind us and start building real solutions for real security requirements. Or, um, wait for me to do it first.
I also hear that there may be a decisive winner in the Push/Pull content wars sometime soon. Call your broker!
February 16, 2004 | Permalink
and then I was killed by a grue!
Posted by: rogue | Mar 19, 2004 9:03:34 AM
Putting on my best Alec Guinness countenance, "Now that's a name I haven't heard in a long time."
Posted by: Phil Libin | Mar 19, 2004 12:47:03 PM
Nice blog...read about it a major publication. Check out our reviews of dating sites.
Posted by: Adam | Jun 16, 2004 6:22:44 PM