Public key infrastructure (PKI) is an excellent technology to help users certify that the people or companies they are corresponding with are who they say they are. It has proven itself invaluable in e-commerce among other areas. As with any technology, however, it is not without its own security risks. Eliana Stavrou discusses these risks, and ways to minimize them.
Every country that either operates a national PKI system or has third-party organizations operating their own PKI system should have in place an appropriate legal framework to recognize the operation of the PKI and the usage of digital certificates and digital signatures.
Earlier, I talked about the non-repudiation requirement. It is crucial for every business and every individual to be assured that, when they engage in a transaction using digital certificates and/or signatures, the participants cannot later on deny their actions.
However, in order for the non-repudiation requirement to take effect and protect the holders of a digital certificate, appropriate legislation must exist; otherwise, if someone denies an action that was actually performed, the person or company on the other end of the transaction may have no rights or recourse.
For example, the European Union created a set of guidelines, called EU Directives, that cover the area of Public Key Infrastructure. The directives associated with the concept of PKI are:
EU Electronic Signatures Directive
EU Data Protection Directive
In my country (Argentina), the government signed the law for protection of personal information in 1987, but until recently there was no legal act concerning the usage of digital certificates and signatures. The lack of a legal act was a big drawback in using PKI technology, since most people felt that they could not trust it without the appropriate legal recognition. Fortunately, the government recently harmonized the law with EUís E-Signature Directive, anticipating to the spread of the PKI in the government and private sector.
How to minimize the risk: This risk depends entirely on the government of each country. The government has a responsibility to update its legislation framework. However, it is a good idea to investigate the situation in your country and find out whether you are covered by the law when using PKI technology. At least you will know where you stand if you choose to use PKI without the appropriate legislation.
Public Key Infrastructure is a favorite technology despite the risks that may stem from its usage. As with any other technology, it is up to us to minimize the risks and threats associated with this technology, and maximize the benefit of what it has to offer. Knowing these risks in advance, we could better prepare and prevent possible problems that may arise by using such technology. Nevertheless, I think that all of us have to recognize the significance of PKI technology at an individual, business and national level.