Baltimore's death spells gloom for PKI
Published: 28 Nov 2003 13:45 GMT
The meeting of Baltimore Technologies' shareholders on Friday signals more than just the demise of a European software powerhouse, with a valuation at the height of the dot-com boom of £7bn, to a shell whose only assets are £25m in cash. It also embodies the general failure of PKI technology to match the hype that it generated over the past few years, say analysts.
At the extraordinary general meeting in Dublin, shareholders are expected to approve the sale of Baltimore's Public Key Infrastructure (PKI) technology to US-based beTrusted, the company formed by PricewaterhouseCoopers. The meeting is seen by many as merely a formality to dispose of Blatimore's one remaining software asset, in the shape of its core security software business: the UniCert PKI software.
Baltimore may have made many mistakes over the past years, but it has also been a victim of the almost complete failure of PKI technology to take off. A public key infrastructure is a framework that provides security services to an organisation using public-key cryptography. These services are managed using certificates which are issued from a central certificate authority.
"The promise of PKI hasn't happened," said Ovum principal analyst Graham Titterington. "And I don't think it will. It is expensive and costly to implement. Businesses have felt it is just not worth the expense. The whole thing turned out to be pie in the sky -- that's why Baltimore collapsed and why others have had lean times. Entrust, Verisign and RSA have had tough times too, but they had greater revenues and other revenue streams so they have survived and Baltimore hasn't because it failed to diversify."
Part of the problem with PKI in a public environment, said Titterington, is one of trust. "Who do you trust to issue the certificates? Even if the organisation issuing the certificates is trusted, what process have they been through before issuing each one? How do you know how much diligence they have been through?"
In March 2001, VeriSign, which acts as a certificate authority, issued two digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The mistake led Microsoft to release a software update for all Windows releases dating back to 1995.
"It is conceivable that government-issued certificates could still happen," said Titterington, "but the jury is still out on that." Indeed, Spain and Belgium have taken a lead in this area, with the governments there issuing digital certificates to citizens, but even governments face the problem of making sure that when they authenticate a person, they know with absolute certainty that that person is who they say they are.
"You have to go to great lengths to verify who is applying for a certificate," said Titterington. "Also, if anyone can issue forged certificate in any way then the whole operation becomes debased. If 1 percent of certificates were forgeries and 99 percent genuine, the trust of that 99 percent of certificates would drop through the floor."
Previous
Did you find this article useful?
131 out of 238 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
