I recently spoke at an EEMA event in London on the subject of Corporate PKI Certificate Provisioning. I was asked to give an overview of the market. According to a market research report from Frost &Sullivan the four leading vendors that dominate the PKI market today are VeriSign, Entrust, Verizon Business and GlobalSign. Note that I did not manage to find figures later than 2008, so the subject is clearly going out of favour with the analysts. I made the observation that the subject may not be sexy, however PKI is by no means a failed project. PKI is getting embedded under the hood in just about every place you can imagine. Examples Mobile phone SIM, IPv6, SSL certificates protecting Internet traffic.
I also tried to make a forward looking statement and mentioned Verizon’s involvement in the Information Card Foundation (ICF) and Open Identity Exchange (OIX). As a proxy member on the board of these two leading organisations I keep hearing about the great strides forward being made with new forms of User Centric Identity Management, like the ones reported at the European Identity Conference (EIC) in Munich and then when I sit back and hear Microsoft’s Andrew Driver speak in London about PKI, its like being transported back to the nineties and not a single word about Information Cards. It is sometimes hard to imagine people like Kim Cameron, Tony Nadalin and Mike Jones are from the same company.
In the ICF we have been discussing and navel staring for a long time why Information Cards have not taken the market by storm, when at least PKI created a decent sort of hype curve, even when CTOs and CISO’s implementing it lost their shirt in the years before the .com bubble. I personally have blamed the Redmond marketing machine for not putting their weight behind Information Cards. Is has to be possible to break this chicken and egg deadlock situation we are finding ourselves in. Microsoft never did understand consumer PKI so it perhaps should not surprise us that they don’t get the significance of their Information Card invention either, just like many PKI die-hards don’t get it. Yet funnily enough I think Information Cards and PKI need each other like plants need water. I am thinking about a kind of PKINIT relationship, where a PKI certificate stored on a secure device, unlocked by a PIN, bootstraps Information Card use cases in business. Someone who has been saying this for years is ICF board member Anders Rundgren. Just check out his resources on http://keycenter.webpki.org/home