What is the logistic weakness of PGP and PKI systems?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Before I answer this question, let's review some definitions so that we're clear about what weaknesses we're looking at. PKI, or public key infrastructure, is a framework for services that provide for the generation, distribution, control and accounting of public key certificates. This public key system ensures secure user authentication, network traffic encryption, data integrity and non-repudiation. PGP meanwhile is an application actually derived from the IETF open standard OpenPGP. Like PKI systems, OpenPGP uses both public-key cryptography and symmetric key cryptography, but the program differs in how it vets and binds public keys to user identities. Unlike PKI arrangements, OpenPGP is based on a web of trust rather than certificate authorities (CA). OpenPGP allows users to choose who they trust, whereas users in a PKI system defer to a trusted CA. Commercial CAs, however, need to ensure that their own certificate is incorporated into the major browsers and messaging applications in order to provide this chain of trust. Finally the definition of logistics is the activity of supplying or providing something, and in the case of OpenPGP and PKI, this would be considered the efficient management, distribution and validation of a public key contained within a user's certificate.
So what are the weaknesses of these two systems in terms of managing, distributing and validating digital certificates? Well, while PKI can identify Web servers and allow transactions over SSL, it lacks large-scale acceptance because the cost and registration process involved with "supplying and providing" client-side certificates is burdensome. Additionally, the management and revocation of certificates requires a highly complicated structure, not to mention scalability brings additional costs of computer resources and help desk support. On the other hand, PGP has flourished for many years without the need to establish a centralized CA because OpenPGP makes use of the concept of trusted introducers, allowing anyone to sign anyone else's public key. This decentralized approach removes the cost of CAs from the delivery process, but still requires key servers to act as public repositories so that everyone can reference users' public keys.
Most modern applications well-manage X.509 digital certificates used by PKI systems, even when it comes to the less experienced user. Non-interoperability is becoming less of a problem, too. There are plug-ins implementing PGP functionality for the more popular email applications, such as Microsoft Outlook, but a plug-in is always susceptible to implementation errors.
Although neither PKI nor OpenPGP are perfect, (neither arrangement has economically solved the problem of user certificate mobility and security, for example), the programs provide defense to original Internet protocols that don't have built-in security. They also ensure secure data and message sharing. When it comes to sensitive data, not using either is always going to be a risk.
Dig Deeper on PKI and Digital Certificates
Related Q&A from Michael Cobb
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.