Home arrow Security arrow Page 6 - PKI: Looking at the Risks

Legislation compliance - Security

Public key infrastructure (PKI) is an excellent technology to help users certify that the people or companies they are corresponding with are who they say they are. It has proven itself invaluable in e-commerce among other areas. As with any technology, however, it is not without its own security risks. Eliana Stavrou discusses these risks, and ways to minimize them.

  1. PKI: Looking at the Risks
  2. Trust establishment
  3. Private key protection
  4. CRL availability
  5. Key generation
  6. Legislation compliance
By: Eliana Stavrou
Rating: starstarstarstarstar / 9
January 24, 2005

print this article



Every country that either operates a national PKI system or has third-party organizations operating their own PKI system should have in place an appropriate legal framework to recognize the operation of the PKI and the usage of digital certificates and digital signatures. 

Earlier, I talked about the non-repudiation requirement. It is crucial for every business and every individual to be assured that, when they engage in a transaction using digital certificates and/or signatures, the participants cannot later on deny their actions.

However, in order for the non-repudiation requirement to take effect and protect the holders of a digital certificate, appropriate legislation must exist; otherwise, if someone denies an action that was actually performed, the person or company on the other end of the transaction may have no rights or recourse.  

For example, the European Union created a set of guidelines, called EU Directives, that cover the area of Public Key Infrastructure. The directives associated with the concept of PKI are:

  • EU Electronic Signatures Directive

  • EU Data Protection Directive 

In my country (Argentina), the government signed the law for protection of personal information in 1987, but until recently there was no legal act concerning the usage of digital certificates and signatures. The lack of a legal act was a big drawback in using PKI technology, since most people felt that they could not trust it without the appropriate legal recognition. Fortunately, the government recently harmonized the law with EUís E-Signature Directive, anticipating to the spread of the PKI in the government and private sector.

How to minimize the risk: This risk depends entirely on the government of each country. The government has a responsibility to update its legislation framework. However, it is a good idea to investigate the situation in your country and find out whether you are covered by the law when using PKI technology. At least you will know where you stand if you choose to use PKI without the appropriate legislation.  


Public Key Infrastructure is a favorite technology despite the risks that may stem from its usage. As with any other technology, it is up to us to minimize the risks and threats associated with this technology, and maximize the benefit of what it has to offer. Knowing these risks in advance, we could better prepare and prevent possible problems that may arise by using such technology. Nevertheless, I think that all of us have to recognize the significance of PKI technology at an individual, business and national level. 

>>> More Security Articles          >>> More By Eliana Stavrou

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- Whatís behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: