I have been a little pessimistic, perhaps even glum, regarding the
rate at which PEM seems to be being adopted. Because of my
concern, I called Jim Bidzos, President of RSA, to seek his
view and see whether there was anything that could be done.
I was quite pleased to learn that he is quite bullish about
what is going on. However, it appears that the people who
are actually planning significant corporate use of PEM and/or
other systems such as Apple's AOCE are not yet in a position to
publish their plans or proclaim their success so far.
Without naming names, Jim talked about one corporation that is planning
to use digital signatures for almost all of their correspondence, both
internal and with their distributors. Other firms with a very large number of
users are in the process of coming on board. Major software suppliers are
apparently in the process of developing commercial quality implementations
of this technology over the next 1 to 3 years.
Even making a certain grain-of-salt allowance for Jim's understandable
enthusiasm for his own products, it would appear that more progress is
being made than might meet the eye. I am certainly very glad to hear that.
Jim made an interesting observation, though. He said that most of these
efforts are being brought about from a grass roots, bottom-up type of
development, rather than from any particular corporate mandate being
established.
In retrospect, then, perhaps I made a rather serious tactical error by
going to GTE's corporate lawyers to get their blessing, PRIOR to having
established a sufficient business case or ground-swell of user support.
As a result, all sorts of issues involving corporate names, intellectual
property rights, etc., etc., surfaced as part of this rather theoretical
discussion, and from the lawyer's perspective it was all downside risk
and little if any substantiated reward to offset that risk.
I will say that the discussion helped educate me about a number of
issues that never would have crossed my mind, and from the standpoint of
advancing the cause of a public key infrastructure I am glad we did
what we did. From the standpoint of getting a system up and running,
however, the frontal assault was probably not the best approach, for
now we have a higher hurdle to overcome.
I am certainly NOT advising anyone to bypass or ignore their legal folks,
for in the long run it will probably be necessary and the education process
may be prolonged. But I am suggesting that a gradual introduction of
digital signatures using test keys and certificates may be beneficial, while
at least helping to limit the amount of liability. "Islands" of CAs that
are not connected to any PCA may also help, or the creation of
internal use only PCAs.
I didn't think to ask Jim this, but I suspect that many of these users
are AOCE users, rather than PEM. And one of the significant differences
between PKCS and PEM is that PKCS doesn't have any reference to
a PCA, nor to a PCA's policy.
Without jumping to any conclusions, maybe we should think about this.
Is our insistance on a PCA policy (which inevitably has to be reviewed
by the lawyers when a CA agreement is signed) working to our
detriment, at least in the short run? Likewise, is our insistance on name
subordination doing more harm than good?
Would there be any benefit in creating something like a Persona PCA
for corporate users, so as to support basic attribution and privacy at
the personal level, but without all of the deep-pockets liability concerns
that name subordination tends to at least imply?
Bob