pkiSpeaking at a conference recently, Henk Tobias, Eema’s chairman and technology manager of the global infrastructure organisation at Unilever, said it was impossible to have full and successful global e-business without addressing the unresolved problems with PKI.

Unilever began to experiment with PKI technology a few years ago when the company put in the infrastructure to allow a number of people in its human resources department to send encrypted attachments. The project was expanded to include financial services, and later moved on to secure messaging, allowing senior managers to encrypt confidential information and send it securely across the public Internet to Unilever’s offices in different countries in Europe.

Based on the success of the in-house project, the company is keen to expand its use of PKI technology to communicate with its huge network of business partners. “We’ve been looking into communicating with some of our main raw materials suppliers and a number of the supermarket chains through PKI. But all your partners must have PKI in place and the different technologies must be able to talk to each other,” Tobias said.

Perhaps one of the most significant stumbling-blocks in the way of the widespread adoption of PKI is the question of compatibility. Some firms are reluctant to implement PKI technology for fear that the software chosen will be incompatible with that of a business partner who may already be committed to another supplier’s product.

A number of industry bodies, including the security arm of the government communications base GCHQ, the Communications Electronics Security Group (CESG) — which earlier this year ran an interoperability trial — and the PKI Forum, a body formed by the major PKI suppliers, are trying to address this and other related issues. More recently, Eema has begun a two-year project, with funding from the European Commission, entitled the PKI Challenge (see box) which seeks to address some of the fundamental problems of interoperability.

Frank Jorissen, vice-chairman of Eema and co-ordinator of the PKI Challenge, said the problem of interoperability had been an issue with every new technology. “You can make two systems work together but it takes a lot of work and you have to do it on an ad hoc basis, time and time again with different suppliers’ technologies and different customers. Working with two companies is relatively simple, but when you’re talking about hundreds, it becomes impossible,” he said.

There are also problems with the differing ways companies implement the various standards, he said. “There are too many ambiguities and too many options. Although two suppliers can claim they both comply with certain standards, companies implement standards in different ways. But even if you do have the same software, that can be implemented in a different way so that when you try and communicate, it simply doesn’t work.”

For Unilever and other companies in the same position, there are few satisfactory options to expand internal PKI projects outside the corporate network. “The willingness to communicate is there on all sides, but in practice it comes to a standstill.

“What we do then is simple: we just go back to EDI (electronic data interchange) again. It’s old and inflexible technology, but it’s reliable,” said Tobias.

There are a number of wider issues that influence businesses wanting to communicate securely over multiple electronic channels, and they stretch far beyond the technological challenges thrown up by PKI. “It’s not just the interoperability of technologies — there’s a raft of legal and political issues that need to be solved to make it work across companies, countries and technologies,” said one executive of a global company, who wished to remain anonymous.

“There are different regulation and registration authorities around the world and more lawyers than you can shake a stick at, and in some countries the government doesn’t allow free choice of certification authority, so we cannot choose one technology that suits our purpose,” he explained. “There’s an awful lot of legal and political checking that needs to take place before we can put an infrastructure in place.”

Moves are being made to address these issues. Last week, the European Certification Authority Forum (Ecaf), an Eema interest group, said it was considering setting up a user forum to debate some of the wider issues thrown up by PKI.

“A lot of companies have expressed an interest in having a group in which they could discuss freely without the technology providers and consultants being involved but any decision to set up a forum must be driven by users,” said John Hermans, chairman of Ecaf, a body largely made up of service providers, technology suppliers and consultants.

Topics to be covered were likely to include defining the business case and selling PKI to senior management, how PKI fits with business or risk management strategies, and how to organise a PKI initiative.

User opinion is being sought and Ecaf is hoping to be able to launch such a group at the next Information Security Solutions Europe (ISSE) conference to be held in September.

Either way, the technological, commercial and political conditions for the widespread adoption of PKI looks some way off, but the increasing industry collaboration to resolve these problems offers some light at the end of the tunnel.

The PKI challenge

A two-year project started in January 2001, the PKI Challenge aims to provide a solution to interoperability between PKI-related products, and to develop specifications and best practice in terms of standards.

Funded by the European Commission and organised by Eema, the project is a consortium bringing together both PKI suppliers, user companies, certification service providers, consultants and academics to define and agree interoperability criteria against which PKI products should be tested.

Participating suppliers will test their products against the relevant criteria at an independent test site and via remote testing with the aim of building an integrated heterogeneous PKI. Physical demonstrations are planned for 2002.

More than 200 organisations across 30 countries have expressed an interest in becoming involved, and 33 suppliers have submitted products for testing.