Since when is PKI scalable?

Niel Bester|05 October 2017
Since when is PKI scalable?

When we at Entersekt tell people that our solution uses X.509 certificates on a mobile phone, they often reply cynically, “But PKI doesn’t scale!?” How, then, are we able to make that claim?

There are two main reasons why public-key infrastructure (PKI) has failed to scale effectively for consumer applications. Firstly, the registration authority of the CA (certificate authority) often has stringent identity verification obligations that must be met before a user certificate can be issued. These rigorous requirements for issuance are designed to satisfy the level of trust that relying parties will place in the certificate further along the line. However, since enrolment occurs right at the beginning of the relationship between customer and organization, there is no secure environment for communications available yet. This is why onerous procedures like physical presence are required, but these procedures tend to frustrate and alienate customers.

Secondly, validating certificates for revocation at scale has proven to be difficult. PKI requires that either certificate revocation lists (CRLs – files listing all previously revoked certificates) be published to all relying parties, or that a computationally intensive Online Certificate Status Protocol (OCSP) be implemented to validate the certificates. Since neither of these alternatives looks particularly appealing, validation has also been an obstacle to deploying PKI at scale.

 A WHOLE NEW WORLD

Entersekt has opted to do things differently. As per our patented emCert methodology, we issue a unique certificate to each new mobile application instance – not a traditional named certificate to the user. This unique certificate is then linked to a named identity by one organization, which establishes that link through a risk-appropriate enrolment process. The user’s identity cannot be inferred from the certificate, except by that organization – which can also leverage this ability to lessen the burden on the user to continually identify themselves. As a result, certificate revocation is in most circumstances not even necessary, since whenever trust in a certificate is jeopardized, the organization can simply break its link to the named identity, rendering the certificate unusable.

We issue an emCert to the mobile device prior to any proof of identity by the user. The upshot of this is that we can use X.509 infrastructure to implement an ID&V (identity and verification) process that satisfies both confidentiality and integrity requirements – something traditional PKI cannot do, because there, certificates are only issued after the ID&V process is completed. Our way of leveraging PKI enables a more convenient and secure enrolment process, which means more customers, faster.

About the author

Niel Bester

Niel Bester

SVP products

An engineer by training, Niel has decades of experience in most facets of software development within the telecommunications and IT industries. He is passionate about product and organizational strategy and, in a company bursting with ideas, it’s his job to flesh them out and feed them into our products roadmap.

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.