2nd Annual PKI Research Workshop
Ken Klingenstein opened with the observation that trust models are where all the hard questions in PKI end up. Klingenstein is working on providing security for virtual communities by leveraging both hierarchies and federations. He described a federation as a group of organizations who agree to use common transport protocols to exchange attributes, and to abide by a common set of rules in so doing. The organizational complexities involved in building federations can be significant. Both Klingenstein and Rich Guida gave examples from the healthcare community; Guida noted that right now trust in this community is almost entirely tacit, but that's changing because of the Health Insurance Portability and Accountability Act (HIPAA).
Guida advised the group that when you think about the trust model for a federation, you should think first about the existing real-world trust model among the organizations concerned; where such relationships are today murky or not well established, trying to create a federated trust model will also not work. Also on the theme of building on existing relationships, Guida noted that the question of liability comes up a lot. He discounted worries that building a PKI is "opening a Pandora's box of liability exposure", arguing that if you already have liability covered in contracts or agreements with your partners/customers/vendors, all PKI adds is a new way of identifying people, allowing them to make electronic signatures and encrypt data.
Klingenstein concluded the session by presenting five major issues that federations need to resolve: multiple federations, relying party controls, weak SSL cert-issuing processes, conservation of trust, and management of privacy. Guida suggested that the relying party should be able to decide which trust credentials to accept and under what conditions. He noted that "How much are we exposing ourselves when we expose ourselves to transitive trust determination?" is a question that gets asked a lot in the corporate sector; fortunately PKI provides many mechanisms for dealing intelligently with transitive trust involving certificates. Ken observed that this would be a move away from the credit card model; a merchant cannot decide not to accept a valid credit card. Alma Whitten noted that Batya Friedman has hard data to confirm that SSL insecurity is just as bad as you think. Whitten also noted a study in which many users asked about their security concerns worried that someone will find out where they live and physically attack them; many others cited spam as a security failure.