2.5Conclusions
Our research and deployment has revealed a great deal about the state of PKI today:
-
The learning curve for starting a PKI is steep, but should not be prohibitive for HEIs armed with the PKI lab’s documentation.
-
Software and hardware and application support for PKI is mixed but getting better. Glitches, user interface issues, and oversights abound in end-user applications.
-
The security of end-user applications is lacking in many cases, especially in feature rich applications.
-
Users are moderately aware of security issues and good secure computing practices, but we clearly have a lot of user education to conduct to get them computing safely with PKI.
Learning Curve
The learning curve for planning a PKI is steep. The vendor information available is typically a very high level overview or detailed product manuals. Practical information about the many interacting decisions one needs to make in designing and deploying a PKI is hard to find. There are so many options that it is often difficult to find the information in the detailed product documentation. We think that the “setting up a CA” information we generated will be very useful to others. We have been somewhat surprised at the number of issues we have found in presumably stable products. Almost everything we have tried has opened up new areas that need work, but we have been able to work around the issues to produce a stable CA environment. Most of the issues are not big problems once one is aware of them and how to get around them.
Commercial CA products are sufficiently complex to install and operate that specialized knowledge is required and few people have this experience yet. CA products that make use of complex databases compound this problem. Also many of the products were expensive, though the asking prices maybe moderating in the face of low sales. Product quality varies widely and it’s best not to assume components are compatible. Information about compatibility is scarce and often not useful for long because the products are changing rapidly.
Using the SunONE product was an easy way to start learning about a Certificate Authority product. Sun’s license allows free use of the product for development. Fees are required for production use. Recently Sun extended the free use provision for research work.
The PKI Lab team has learned much about the current state of PKI software and hardware (secure coprocessors, USB PKI key dongles, drivers, etc.). Many products exist although most are only available for Microsoft operating systems. Trying to find solutions that work on multiple platforms has complicated our efforts significantly. Some of the products with the most features are often the hardest to use in a secure fashion. Secure configurations are often not the default. Some existing products have serious security. For a technology that has been available for such a long time, PKI is still surprisingly immature.
PKI is as much about Policy as Technology. The policy issues, especially between organizations, are only partially understood. Defining the policy of the local PKI can be one of the most difficult aspects of getting started with the technology. It is easy to be awed by the use of cryptography and get carried away with trying to make replacement applications more secure than their non-electronic predecessors. On the other hand, if the replacements are not more secure than non-electronic (or pre-PKI versions), then what’s the point?
End-User Applications
While the availability of PKI support in applications is expanding, it is not yet universal. In some cases one has to switch applications in order to use the PKI infrastructure. This is a difficult and time-consuming barrier. This problem is especially acute for secure mail, where the application has much greater value when it is available to the widest possible universe of users. User application setup of PKI features can be complex. The meaning or interactions of the many options and preferences is often not obvious and the error messages are often confusing or misleading as well. An excellent example of this is the use and manipulation of keys and certificates in various browser key stores. Microsoft Internet Explorer and Outlook share the same key store yet provide different user interfaces for accessing them with major overlap in some cases such as key import and export. These same applications often provide obscure error messages. Sometimes it is not even obvious to most users where the error originated.
Most PKI features are relatively new, and older versions of desktop applications in some cases just do not work. To take maximum advantage of PKI technology, users must maintain and upgrade their desktop software. However compatibility testing is a problem that requires significant ongoing effort. Security features and problem fixes are complex. New releases of software sometimes break features that were previously working and tested.
Debugging applications using encryption is especially complicated. The data streams visible in normal debugging tools are functionally opaque because of the encryption. Additional tools need to be incorporated into the software development environment. The open source development libraries are often not documented, examples are scarce and it takes a lot of effort to learn how they work.
Access to Web resources is a good starting application. While it does not utilize many of PKI’s capabilities, it is a common need and the security demands are not high. We think this will be a good way to get people to start using PKI and then be enabled for other applications like document signing and secure mail. Dartmouth is somewhat unusual in having deployed the Kerberos/Sidecar-infrastructure which we hope to replace with PKI. Providing digital document signatures in support of online workflow improvements seems to be a compelling next application. Secure mail will likely be heavily used eventually, but it will need to be more widely available before it will be used regularly and brings in the added complication of encryption and its accompanying need for more careful and comprehensive key and certificate management (including greater user awareness of the intricacies of key management).
Security of Applications
We have found (not surprisingly) that PKI is only as secure as the applications which implement it. For example, a Microsoft Word document or a spreadsheet can be properly and securely signed and encrypted with PKI yet refer to dynamic content which appears on the screen and printer differently at different times. SSL authentication provides no value if users are not able to determine exactly what web content has been authenticated. Web spoofing can fool many users, but we have found and prototyped possible user interface features to address this threat. Key stores are still too easy to break.
We are working to understand how much “PKI knowledge” will be needed by the general population in order to make use of the PKI applications that have been developed. Without a driving application, it is harder to get users’ attention (although coupons for free Ben and Jerry’s ice cream have proven effective at getting surveys filled out) . Most users are aware of the need for security and some of the security features already available to them, but fewer actually use these security features on a regular basis or even at all. For example, most are aware of the purpose of
secure connections in browsers, but few check the “secure” indicator regularly, and some never check it. It seems safe to conclude that it will take time and education to get users to the point where secure computing practices using PKI are second nature to them. We will use our educational activities to generate demand for PKI by making users more knowledgeable about the technology and its applications. We will also help education end users in the use of the applications which we disseminate.
PKI Viability
Despite its many issues with complexity,
applications support, new processes and policies required, and lack of user knowledge, PKI is technically sound for its intended purposes and making steady progress in all areas. All our findings indicate that PKI can indeed solve the problems it is intended to address. PKI is a diamond in the rough with many rough edges that need polishing. With some refinement it will make an outstanding basis for far more secure computing in the future.