Computer Standards & Interfaces 25 (2003) 437 446

www.elsevier.com/locate/csi

Public key infrastructure: a micro and macro analysis

Sean Lancaster a,1, David C. Yen a,*, Shi-Ming Huang b,2
b

a
Department of DSC and MIS, Miami University, 309 Upham, Oxford, OH 45056, USA
Department of Information Management, National Chung Cheng University, Ming Hsiung, Chia-Yi, Taiwan, ROC

Received 25 March 2003; received in revised form 25 March 2003; accepted 30 March 2003

Abstract
The Internet has increasingly been used for communication between people. Most users have no problem relaying messages,
which do not contain confidential information, over a network. Yet, for it to be accepted as a medium of conducting monetary
transactions there will need to be a higher degree of confidence in the technologys reliability and security. No one will agree to
send his or her financial information over the Internet if there is any doubt in the security of that medium. Likewise, companies
involved in E-commerce must have a means to verify the customers using the Internet to order goods and services. Public Key
Infrastructure, PKI, attempts to provide the answer to the reliability question, as a method of digital security. PKI provides the
ability to verify the sender and the recipient of electronic messages, protecting against E-commerce fraud, corporate espionage,
and the theft of intellectual property.
D 2003 Elsevier Science B.V. All rights reserved.
Keywords: Cryptography; Digital security; Digital signatures; E-commerce; Electronic security; Encryption; Internet privacy; Public Key
Infrastructure, PKI

1. Introduction
As technology increasingly plays a key role in
how people communicate and do business, the
authentication and the verification of that information
becomes an important issue to consider. The Internet
is used to store, inform, communicate, and transact
data on an everyday basis. The security of that data
is essential to most companies and individuals.

* Corresponding author. Tel.: +1-513-529-4826; fax: +1-513529-9689.

E-mail addresses: lancassp@muohio.edu (S. Lancaster),
yendc@muohio.edu (D.C. Yen), smhuang@mis.ccu.edu.tw
(S.-M. Huang).
1
Tel.: +1-513-529-4826; fax: +1-513-529-9689.
2
Tel.: +886-5-272-1500; fax: +886-5-272-1501.

Corporate espionage, E-commerce fraud, and the

theft of intellectual property have given rise to digital
security. PKI is seen as the answer to electronic
security, ensuring the authenticity of the communicators identities, and protecting the privacy of the
information. Many predict that the growth of public
key cryptography will allow E-commerce to flourish
providing the necessary security blanket to waylay
consumers fears of online fraud.
The Internet population has risen from 144 million
in 1998 to 327 million in 2000. Still, this figure is
predicted to jump to 1 billion users by the year 2005
[22]. Additionally, online retail sales were nearly $3
billion in 2000, and expected to jump to over $8
billion in 2005. In order for this growth to occur, users
must be totally convinced in the reliability, security,
and authenticity of transacting online [22].

0920-5489/03/$ - see front matter D 2003 Elsevier Science B.V. All rights reserved.
doi:10.1016/S0920-5489(03)00043-6

438

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

The following paper will examine public key infrastructure starting with an overview of PKI. The overview will define what PKI is and also discuss the
components, characteristics, and functions of public
key infrastructure. The paper then will examine the
internal factors affecting PKI. A third section will
look at the current developments of public key infrastructure; looking at its organizational, commercial,
global affects, and a case study of a Public Key
solution provider. The paper will then discuss the
future implications of PKI, detailing the obstacles to
its adoption as well as the legal implications that it
offers.

2. PKI: an overview
For a means of communication to be accepted, it
must offer the reliability of traditional methods,
such as sending a letter or making a phone call.
Likewise, in order for that new technology to be
accepted as a method of conducting business transactions, it must also be as reliable as traditional
means of purchasing: cash, check, or credit card.
There is no question that new technology and the
Internet can speed the delivery of information and

online transactions. Yet, without the proper confidence in the medium, those advantages are lost.
Digital signatures, cryptography, and other forms of
electronic security strive to prove the reliability of
technology. Public key infrastructure is perceived
by many to do just that, provide reliability and
privacy to commerce and communication over the
Internet.
2.1. PKI: definitions
There are numerous characteristics that make PKI
unique. Listed in Table 1 are a number of characteristics, as defined by both the public and private sector.
Public Key Infrastructure is more than just a new
technology; it is a method of electronic security. PKI
makes it possible to verify the identity of the sending
and receiving parties involved in electronic communication [8]. The security method involves providing a
number of keys to Internet users. One set of keys is
made public while the respective individuals hold the
other set of keys privately. The public and private
keys are mathematically related and therefore offer
digital security. The keys are matched together, messages made with one can be read using the other. PKI
surpasses previous methods of electronic security by

Table 1
Characteristics of PKI
Year

Author

Characteristics

2000

National institute
of standards
and technology

(1) The information sender and recipient both will be identified uniquely so the parties
know where the information is coming from and where it is going (identification
and authentication);
(2) the transmitted information was not altered deliberately or inadvertently (data integrity);
(3) there is a way to establish that the senders identity is inextricably bound to the
information (technical non-repudiation); and
(4) The information will be protected from unauthorized access (confidentiality or privacy).
This functionality is included for completeness since public key technology and a Public
Key Infrastructure provide it; however, confidentiality and privacy concerns are not covered
in detail in this guidance.
Signer authenticationthe signature attributes the message to the signer
Message authenticationthe signature identifies the with far greater certainty than paper
signatures, verification reveals any tampering
Affirmative actusing the signature performs the ceremonial function of alerting the
signer to the fact that the signer is consummating a transaction with legal consequences
Efficiencyprocess of creating and verifying provide a high level of assurance without
adding greatly to the resources required for processing
Provide an electronic means of verifying someones identityused in conjunction with
encryption, digital ids provide a more complete security solution, assuring the identity
of all parties involved in the transaction
from www.verisign.com/repository/brwidint.html

American bar
association

2001

VeriSign

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

guaranteeing the authenticity of the information and

the validity of the senders identity.
When sending an electronic message, both the
sending and receiving parties will use their keys.
The sending party will compose their electronic
message, which when sent will be encrypted using
the senders private key. The encryption will make
the message impossible to read unless the senders
public key is used to decode it [10]. By encrypting
the message with the senders private key, their
digital signature or identity is assigned to the
message. Once the message has been encrypted with
the private key, it cannot be decrypted if changed.
Thus, PKI will secure the messages content. Additionally, when the message is encrypted, the private
key also includes the senders identity, to be
revealed through decryption using the senders public key.
2.2. PKI: components
PKI is a method of digital security. Therefore, in
order for it to be successful it must be utilized as
part of an electronic security plan. Once a plan is
in place, the responsible individuals will recognize
what needs to be protected and why PKI should be
used. The security plan also establishes the guidelines and protocols needed to establish a reliable
network security system. As with any significant
project, the implementation of that project must be
the job of the entire organization, not just certain
segments or individuals.
Additionally, public key infrastructure is comprised of hardware, software, data transport mechanisms, and smart card applications [17]. The above
components are needed to first verify the individuals identity. The individual will then receive a
digital certificate containing their public key. The
public key is available for anyone to use. The
private key is only made available to the individual
registered with the certificate authority. The user
may encrypt a message using the private key, while
the public key can be used to decrypt that message.
PKI, at its very essence, is designed to validate and
authenticate messages delivered over a network.
In addition to the parties that have subscribed to
and are using PKI, the components necessary for
an effective PKI environment are: a certification

439

authority, a registration authority, a directory, a

certificate policy, and a certification practice statement.
A certification authority (CA) is the third party
responsible for validating the identity of a user and
then issuing a digital certificate. Once issued, the
digital certificate offers identifiable information for
the holder, such as name of holder, name of CA, the
holders public key, and the CAs digital signature
ensuring the accuracy of the information [5].
The registration authority (RA) is a third party that
validates the identity of those applying for a digital
certificate. The RA will then confirm the users request
for a digital certificate. Unlike the CA, the RA does not
issue the digital certificate.
A PKI directory contains information regarding the
CAs digital certificates. Each certificate issued by a
CA is assigned an identification number. Those numbers are stored in a directory. Directories also contain
information on any digital certificates that have been
canceled or revoked.
A certificate policy (CP) contains the rules and
protocol for the use of a digital certificate. CPs usually
contain information regarding specific purposes. For
instance, a CP might contain the necessary information
detailing the use of digital signatures within an EDI
environment.
A certification practice statement (CPS) contains the
rules specific to each CA. CPSs contain information on
issuing, canceling, revoking, and renewing digital
certificates with that CA. PKI exists to provide a level
of assurance when communicating; the CPS states the
procedures that must be followed to meet that level of
assurance [5]. The security measure is only as strong as
its policies. Simply implementing a PKI environment
will not assure secure communication. The policies
must be detailed and must be followed.
2.3. PKI: functions
PKI exists to provide security to electronic messages. Furthermore, the infrastructure allows for the
assurance of verification of the identity of the sending
and receiving parties. The security measure will go a
long way in protecting users against E-commerce
fraud, the theft of intellectual property, and corporate
espionage. PKI also exists as an effort to make transacting online legally binding. Until online messages are

440

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

protected, and no longer viewed as easily compromised, they have little chance to be adopted by mainstream society.
The amount of Internet usage has dramatically
increased, as has the number of Internet transactions.
As a result, online regulations and standards are
needed. Subjects for these regulations include personal privacy, information security, business interoperability, and contract legality [4].
PKI has valuable potential in the e-commerce,
finance, legal, governmental, and nearly any other
field where secure information is sent electronically.
In addition, PKIs characteristics make it a possible
answer for many of the security and privacy concerns of wireless communications.
2.4. PKI: history and evolution
As the computer and the Internet have increasingly become ingrained into everyday life, network
security has played a larger role. The first security
measures primarily focused on the network itself, as
companies installed firewalls and gateways on their
networks in order to keep track of the traffic entering
and leaving the system.
Other security measures looked to assure that an
electronic message sent would get to the desired
location. Many Internet transactions, especially those
involving sums of money or confidential information, have relied upon the Secure Socket Layer
(SSL). The SSL secures the connection between
the Internet users browser and the server. The
Secure Socket Layer protects the information as it
is being sent across the Internet and provides assurance that the information is going to the correct
server [18]. However, SSL does not authenticate the
sender or the recipient of the information.
Dual key cryptography [8] was introduced in an
attempt to provide further protection. The two keys,
one to encrypt and the other to decrypt information,
allowed individuals to guard their information. Much
like PKI, one key was held privately, while the other
was made public. However, unlike public key infrastructure, there was no way to authenticate the holders
of the keys; there was no means to assign a digital
identity. Table 2 reviews the evolution of network
security and the rise of PKI. It must be noted that these
security applications look to protect different areas of

Table 2
Evolution of network security
ERA

Type

Function

Early

Protect network from outside traffic

Mid

Firewalls,
gateways
SSL

Mid

Encryption

Late

Dual key
cryptography
PKI

Current

Secures connection between the

browser and the server
Encapsulate messages in a
protective layer
Public and private keys used with
encryption to secure data
Protect data with encryption and
also authenticate and verify
identities of sender and recipient

communication and may be used in conjunction with

each other.
Still, the technology of PKI is not new, having
been around for over 10 years. The usage and acceptance, however, has taken considerable time in adoption. There have been numerous predictions and
forecasts claiming each year to be the year of Public
Key Infrastructure. While there have been a number of
companies adopting some sort of PKI protection
system, many organizations and most individuals still
do not.

3. PKI: strengths and weaknesses

PKI has proven to be very extensive in its definition and in its framework. Many of the benefits of
using PKI have already been mentioned, verification
of sender and recipient, securely transferring data
online, providing legal basis to conduct Internet transactions, and providing authenticity to web communication. Private Key Infrastructure offers additional
benefits as well. Users of PKI can expect to save time
conduction online communication and transactions.
They no longer have to spend time verifying and
authenticating the various parties. Associated with the
timesavings is a reduction of costs, whether it is labor,
with a reduction in man-hours, or more tangible. PKI
also offers its adopters an additional service; it is a
marketable value-added offering to any customer base
[13].
PKI also has some disadvantages in its implementation as well. At the current time, it is extremely
costly for an organization to add to its security

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

procedures. The cost does fluctuate with the desired

level of trust associated with the security measure, the
greater the security the more expensive the price tag.
Not only must the company utilize the needed software, but it must also adopt a certificate authority as
well. Both the company and the users must rely on the
certificate authority, in order to have a secure environment from which to operate. The certificate authority
is vital to the integrity of PKI. In addition, holders of
the digital identities must maintain the privacy of
those IDs. There can be no true trust in the verification
of parties if the information is not kept confidential
among users [13]. Another issue affecting the adoption of PKI is the lack of agreed upon standards for
the parties involved. Currently, PKI providers and
their products do not have to recognize each other,
creating a major dilemma for potential customers
questioning whose service to use [11].
Another weakness in PKI adoption is the subsequent need to create a PKI policy. The policy must
address the technical, administrative, legal, and
human issues around adoption of PKI. The policy
must address the responsibility and the liability
accompanying a Private Key Infrastructure [7]. The
importance of this policy cannot be understated. The
level of communication and foresight needed for this
policy to be successful as part of the security application is difficult, but possible, to attain.
A last weakness for the security measure is the
scarcity of adoption of PKI by organizations and
individuals. Despite the belief that PKI would be a
vital part of e-commerce and online communication,
its adoption rate has been much slower than expected.

441

the user would already have to conduct a transaction

over a network. The actual Public Key system is
generated using the browser of the client computer.
Most browsers have the built-in capability to generate
the public and private pairs of keys. The actual
encryption software must be installed on the users
hardware. Typically, the digital certificates are contained in the browser and are verified through the
certificate authoritys system.
4.2. System
While PKI is a great advancement in regards to
digital security, it must be planned and used in the
context of the organizations security policy. Therefore, it must not be a system simply left to the
Information Technology staff and personnel but must
be known and encouraged by all management, especially at the top. The organization must also have
patience with the development of the system. A PKI is
estimated at taking up to a year and a half to implement: 3 months to test the infrastructure, 3 months for
piloting, and 6 to 12 months to cover the entire
organization. Following this time period, the system
will still need external accreditation in order to be
fully reliable [12].
A PKI policy must be created, implemented, and
shared throughout the organization and among its
trading partners. In order for the necessary trust to
be created, agreed upon procedures must be in place.
Each party must understand their responsibilities,
obligations, and liabilities [7]. Again, this policy must
not simply be assigned to an employee in the IT
department, but worked on by members throughout
the company.

4. PKI: a micro-analysis
4.3. Involved parties
In order to understand Public Key Infrastructure, it
is important to look at the internal factors that come
into play. These factors include the hardware and
software, the system needed to properly implement a
digital security system, the involved parties to PKI
adoption, and related technologies.
4.1. Hardware/software
In order to successfully implement a PKI system
very little hardware is needed, other than that which

Parties involved in a PKI environment include the

company adopting the security measure, the certificate
authority, and the holders of digital identities. The
certificate authority acts as the hub between a company and its trading partners. It allows digital identities to be accurately given out to the trading partners,
and at the same time providing the secure trading
environment desired by the company [4].
It must also be stated that in order to implement a
PKI environment, a change in mindset and a change

442

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

in operating procedures must take place. In this light,

the adoption of PKI in a company will affect nearly
everyone employed by or conducting business with
that company. More specifically, the proper instruction and notice must be given to all who are in contact
with the companys network, or who plan to utilize the
benefits of PKI. This category goes far beyond
employees and trading partners, but also includes
the Internet Service Provider and IT consultants as
well.
4.4. Related technologies
A company must look at the existing technology
already employed when implementing PKI. For
instance, Private Key Infrastructure insinuates a network environment. What is the architecture of the
network? Who has access? What is the available
bandwidth? As mentioned previously, PKI works as
an individual level of security. In order to protect a
network, additional security measures must be taken.
How will PKI work with firewalls in place? How will
the application work with existing servers, databases,
etc.? All of these questions must be answered in order
for a PKI adoption to be successful [13].

can be found with the United States Postal Service

program NetPost.Certified. The service uses Public
Key Infrastructure for government-to-government and
government-to-consumer transactions [17]. Customers can have their identity verified at the Post Offices
38,000 stations and in return have their digital certificate issued.
The United States Government has also encouraged its branches and departments to use PKI. The
Federal Public Key Infrastructure Steering Committee
(FPKISC) has been put into place to ease the creation
of broader governmental usage of PKI [21]. The
Government Paperwork Elimination Act of 1998 put
in place a guideline of October 21, 2003 for government agencies to begin using electronic government
services. PKI is seen as necessary, although not
required by the law, to create and protect a secure
network environment [4]. The steering committee also
believes that the future of government lays in Egovernment. Many foreign nations, particularly the
European Union, have already put themselves on
track to govern electronically, and the United States
would like to be among the leaders in this area. In
fact, if enough of the international community uses Egovernment, it will become the de facto standard.
Nations will be forced to adopt electronic measures in
order to function as part of that community.

5. PKI: a macro-analysis
5.2. Commercial
Also important in understanding a Public Key
Infrastructure is looking at the external factors that
have been affected by the system and which have also
played a role in the systems adoption. The macroanalysis will conclude with a case study of VeriSign, a
leader in PKI. While the security system is certainly
not in a mature stage, some industries seem to have a
greater curiosity than others do at this present time.
5.1. Organizational
E-commerce is not the only industry with a need
for online privacy. Governmental agencies, the law
enforcement community, and high level researchers
all have a significant need for the protection of their
data. Indeed, any individual with a need for online
privacy and the protection of confidential information
will have a need for Public Key Infrastructure. One
example of how PKI has been used by organizations

PKI is seen as critical for businesses looking to

establish themselves in E-commerce. The digital
security system will provide protection to transactions
over the Internet by authenticating individuals with
digital certificates. Consumers need to feel secure in
their transaction method in order to consume online.
Yet, companies need to trust the electronic transactions as well. Clearly, when the two parties are faceto-face, signing a contract or simply shaking hands,
there is an established bond between buyer and seller.
The transaction is agreed upon and understood. For
online commerce to be adopted as method of conducting those transactions, a similar relationship must
be established [12].
An example of a business use of PKI would be a
customer buying an item from a companys Website.
In the past, SSL would have been used to protect the
data transaction from point to point or from browser to

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

server. Yet, the business would not be able to verify

the customer conducting the transaction. PKI would
allow the business to authenticate that customer
through the use that individuals digital identification.
At the same time, PKI would allow the consumer the
comfort that their financial data was secure.
Among the industries that are most common in
adopting PKI are the financial sector and the medical
industry. Financial companies, including brokerage
houses and banks, are leading the way at the present
time [19]. The security application is needed for the
protection of confidential financial data. Hospitals and
doctors are also beginning to use PKI as a means to
secure patient data and to meet regulations.
Another area of interest is the wireless industry.
Security and privacy are considered among the greatest weaknesses with wireless communication. Confidentiality, authenticity, and non-repudiation are all
issues at the forefront of the wireless community [16].
While a Public Key Infrastructure strives to make
conducting transactions online as safe and secure as in
the brick and mortar world, wireless service providers,
and companies offering M-commerce must also strive
to make their services equally safe.
With more people relying on electronic devices to
communicate and eventually conduct transactions, the
reliance upon a handwritten signature will slowly
disappear. Digital signatures will be required to
legally transact and communicate in confidence electronically. PKI provides the necessary security, verification, and authentication needed for this type of
environment.
5.3. Global
While the United States was initially regarded as
being at the forefront of Public Key Infrastructure, the
gap is narrowing with the rest of the world as
countries see the impact that online security may
have. Proof of the global interest in PKI can be found
in the numerous countries with legislation in regards
to digital security. Most Western countries have some
sort of legislation passed in an effort to provide digital
signatures with legal backing. Other areas of the
world have also been active in the area of digital
security. Singapores Electronic Transaction Act,
which recognizes the validity of a digital signature,
was passed in 1998 [15]. While there are other

443

methods of digital security, PKI has in fact become

the standard most likely to be legislated [6].
Internet activity has increased throughout the
world. In fact, it is believed that one in three Internet
users in Singapore now banks online. With 293,500
current Internet customers, it is no wonder that Singapore was ready for legislation involving digital
signatures. Other areas of the world are actively
banking online as well. Sweden leads the way with
54% of its population using the Internet to keep track
of their finances [1].
As mentioned previously, the European Union has
a number of regulations on privacy protection and
practices in network security. Furthermore, Canada
has already selected a single vendor to implement a
government wide private key infrastructure [4].
Clearly, PKI has become an international development, moving beyond borders and continents.

6. PKI: a case study

VeriSign is a leader in digital IDs, offering various
PKI solutions and acting as a Certificate Authority as
well. The company looks to be the hub in a companys
PKI integration, providing digital certificates to
employees and trading partners, while maintaining a
secure environment for the company.
VeriSign offers an outsourced solution for companies looking to implement a Public Key Infrastructure.
The company maintains the responsibility of issuing
digital certificates while the client typically handles all
other components [14]. VeriSign offers four different
levels of protection, levels 1 4. Class 1 IDs provide an
unambiguous name and e-mail address, intended for
individuals using it to surf the Internet. A Class 2 ID
requires third party verification of the holders name,
address, and other personal information. This level of
ID is available only to residents of the United States and
Canada. Class 2 IDs are intended for individuals who
transact online over a network. Class 3 and 4 IDs are
intended for companies and organizations [23]. The
different levels of protection are intended for the many
different users of the Internet. However, as the level of
protection increases, so does the cost of the product.
Clearly, VeriSign is looking to provide a solution to the
many users conducting online transactions, whether
they are a company or an individual.

444

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

7. PKI: future implications

Many see PKI as providing consumers with the
necessary confidence in conducting business transactions over the Internet. As public key systems are
increasingly adopted and used, E-commerce is
believed to grow. Yet, there are still many questions
regarding Public Key Infrastructure and not everybody is so excited in regards to its possibilities.
7.1. Questions to be answered
The United States has similar legislation to that
passed internationally. The E-Sign Act, which was
passed in the summer of 2000, provides digital
signatures with the same legal standing as those that
are handwritten [19]. At the time, President Clinton
stated under this landmark legislation, online contracts will now have the same legal force as equivalent
paper contracts [1]. Specifically, the act confirms
that consumers that enter into agreements electronically will have the same rights as those that contract
with a written contract. The consumer must consent to
have received the information electronically. The
business must disclose specified information before
they receive that customers consent. Lastly, the act
provides that the consumer must convey through their
consent that they were able to access the information
in the electronic form [3].
The E-Sign Act did apply directly to PKI and
digital signatures. In fact, the legislation put forth
three areas that successful digital certificates were
dependent upon. First, the digital signatures offer
sender authentication. Second, the signature granted
message integrity, defined as confirming the message was received in the original format. Lastly, the
signature must be non-repudiable; the sender must
not be able to deny the signature or the message
[9]. Yet, the act still makes clear that digital
signatures are not acceptable in the following situations: wills, codills and testamentary trusts, adoption, divorce and family law, court orders, notices
of cancellation of utility service, notices of foreclosure or eviction, notices of repossession, notices of
cancellation of health or life insurance, notices of
product recalls and health or safety risks, documents
required to accompany hazardous and dangerous
material.

Another indication to just how important subject

network security and identity verification is can be
found in the American Bar Associations Digital
Signature Guidelines. The guidelines discuss what
makes a contract legal, including the requirements
of a signature. The document also discusses digital
signatures and even public key certificates. The ABA
lists PKI as solving the problems of imposters, message integrity, formal legal requirements, and open
systems [2].
More recently, there has been great debate over the
security risks that encryption techniques may harbor
for law enforcement agencies. The argument primarily
dwells upon to areas. First, is information communicated over the Internet protected from federal and
local government agencies, like the FBI? Secondly,
should encryption methods have a backdoor for these
law enforcement agencies, allowing them access to
data that may be incriminating? The answers to these
questions are still not yet agreed upon, and will
continue to produce great debate.
7.2. Obstacles
The benefits of PKI are great; the privacy and
security it offers over the Internet is unprecedented.
Yet, there are still many obstacles to its acceptance
and its adoption.
The cost of an in house PKI system is substantial
and while an outsourced system is much more reasonably priced, it may not offer the equivalent measure of protection [18]. An example of the cost of an
outsourced PKI system is Entrusts Entrust/PKI 5.0,
which was released and priced in early 2000 at
$25,000 per 10,000 users [20]. Perhaps, companies
are unaware of benefits of PKI, and over time would
consider such prices a bargain for the security of their
confidential information.
Another obstacle to PKI adoption is the time
necessary to implement a system. When faced with
the 1 and 1/2 to 2 years timetable to successfully
implement a Public Key Infrastructure, many companies simply choose to forego the option for something
else. Most companies are looking for the fast solution,
especially in regards to matters of technology. There
are many people who feel that in the time needed for
adoption, a better and more modern solution may be
developed, thus rendering their investment obsolete.

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

Another question in regards to PKI is the way in

which digital certificates are issued and the identity of
their owners verified. Clearly, digital certificates and
their holders must be verified correctly. Even the
slightest slip in security, confidentiality, or identity
would severely hinder the acceptance of the security
method and the companies offering its benefits. Eric
Kossen, head of project management at ABN Amro
Holding, an Amsterdam financial services company
with their own PKI service, states If you operate as a
certificate authority, you take on a certain level of
responsibility for that role [17].
Yet another obstacle to PKI is the debate over
Extensible Markup Language Key Management Specification (XKMS). XKMS would provide common
interfaces to the certificate authorities for companies
that manufacturer the equipment that use them, such as
cell phones, modems, and smart cards [11]. Many
experts feel that the lack of agreed upon standards
has been the largest hindrance in the growth of PKI
usage [15]. While many small groups of companies
have entered into agreements with each other trying to
solve the problem as best as they can, there is no
adaptable standard in place.

8. Conclusions
At present, there is a need for a digital security
system such as PKI. As more data is being stored and
communicated electronically, it has become essential to
protect that data. The greatest impact can be seen in Ecommerce. For online transactions to grow in adoption,
companies and consumers must be comfortable with
the technology and at the same time have confidence
that the transaction information is secure. While it is
easy to see the growing comfort that the global population has with the Internet and its usage, it is also easy
to see the mistrust that much of that same population
has with conducting financial transactions online.
PKI has been highly anticipated over the years and
is still largely awaiting mass acceptance as a means of
digital security. Yet, it has received much interest in
the financial sector, with many banks and brokerages
already implementing Public Key Infrastructures or
looking to unveil their own systems. There has been a
global interest in the security system, seeing countries
from around the world passing legislation providing

445

legal backing to digital signatures. However, the

lengthy time to implement these systems, not to
mention the costs involved, have hindered their
acceptance.
PKI provides the protection needed for transferring
private data over the Internet. Yet, some argue that the
infrastructure offers too high a level of protection,
securing the information from law enforcement agencies and thus providing a convenient means of communication for those with criminal intentions. This
matter has been greatly debated and will continue to
be hotly contested. Additionally, the cost and time to
implement are severe detriments to implementing a
Public Key Infrastructure. Finally, the absence of a
single standard prohibits many manufacturers and
thus their customer base from ever experiencing the
security system. The settlement of these arguments
may lead to the final future of PKI.

References
[1] Anonymous, 1 in 3 Internet Users Banks Online, The Straits
Times, Singapore Press Holdings, Singapore, 2001 September
24, p. 8, Money.
[2] Anonymous, Digital Signature Guidelines, American Bar
Association, Section of Science and Technology, Information Security Committee, http://www.abanet.org/scitech/ec/
isc/dsg-tutorial.html.
[3] Anonymous, Electronic signatures, The Computer and Internet Lawyer, vol. 18, Prentice Hall Law and Business, 2001
September, p. 35, Number 9, Current Developments, Aspen
Publishers, ISSN: SS07421192.
[4] P. Alterman, The U.S. federal PKI and the federal bridge
certification authority, Federal Public Key Infrastructure Steering Committee, 2001 May 7.
[5] M. Benantar, The internet public key infrastructure, IBM Systems Journal 40 (3) (2001) 648.
[6] D. Birch, E-commerce: Sign on the Dot: from today, digital
signatures in the EC are as legally valid as handwritten ones,
The Guardian, Guardian Online, p. 7.
[7] B. Bobbitt, PKI policy pitfalls, Information Security Magazine,
2001 July, http://www.infosecuritymag.com/articles/july01/
features_pki.shtml.
[8] K.P. Bosworth, N. Tedeschi, Public key infrastructuresthe
next generation, BTexact Technology 19 (2001 July) 44 59.
[9] L. Cohen, Click on the dotted line: E-signatures come of age
and make the future of E-commerce a little brighter, New Jersey
Law Journal (2001 August 20) (E-commerce Law, American
Lawyer Media) access via LexisNexis.
[10] P. Dowd, J. McHenry, Network security: its time to take it
seriously, Computer (1998 September) 24 28.
[11] D. Fisher, Standards slow embedded PKI growth, eWeek

446

[12]
[13]

[14]

[15]

[16]

S. Lancaster et al. / Computer Standards & Interfaces 25 (2003) 437446

(2001 July 23) (http://www.eweek.com/article2/0,3959,
117183,00.asp).
D. Gerberick, Developing E-business trust, Security 38 (9)
(2001 September) 37 40.
K. Lyons-Burke, Federal Public Key Infrastructure Steering
Committee, NIST Special Publication 800-25 Federal Agency
Use of Public Key Technology for Digital Signatures and Authentication (2000 October) (http://csrc.nist.gov/publications/
nistpubs/800-25/sp800-25.doc).
I. Machefsky, A Total Economic Impact Analysis of
Two PKI Vendors: Entrust and VeriSign, Giga Information
Group, 1998, http://www.exroads.com/Reference _Tools/
Computer_Networking/Security/VPN/pki_tei_report.pdf.
S.Y. Tan, A question of trust, The Business Times Singapore, Banking & Finance, 2001 May 23, p. SS27, http://
www.pwcglobal.com/extweb/indissue.nsf/DocID/2C088
BEC4A54A13885256A7A001D00D9.
N.T. Trask, S.A. Jaweed, Adapting public key infrastructures to

[17]
[18]
[19]

[20]
[21]
[22]
[23]

the mobile environment, BTexact Technology 19 (2001 July)

76 80.
J. Vijayan, Unlocking secure online commerce, Computerworld 35 (28) (2001 July 9) 48 52.
D. Waugh, The silver bullet for E-commerce security, CMA
Management (2001 July/August) 47 52.
R. Yasin, Online signatures may drive E-business-companies
look for E-sign software to deliver secure transactions and
reduce paperwork, Internetweek (875) (2001 August 27)
18 20.
K. Young, Overcoming PKI obstacles, eWeek (2001 January 4)
(http://www.zdnet.com/).
http://www.cio.gov/fpkisc/documents/index.htm, Website for
the Federal Public Key Infrastructure Steering Committee.
http://www.iconocast.com, Website offering various Internet
statistics.
http://www.verisign.com, Website for Verisign.