53 Years of Public Key Infrastructure and It's Still Broken?

:::info Authors:

(1) Adrian-Tudor Dumitrescu, Delft University of Technology, Delft, The Netherlands (A.T.Dumitrescu@student.tudelft.nl);

(2) Johan Pouwelse (thesis supervisor), Delft University of Technology, Delft, The Netherlands (J.A.Pouwelse@tudelft.nl).

:::

Table of Links

Abstract and I Introduction

II. PKI Problems and Risks

III. Evolution of PKI

IV. National Digital Identity Implementations

V. Conclusion and References

\ Abstract—The Public Key Infrastructure existed in critical infrastructure systems since the expansion of the World Wide Web, but to this day its limitations have not been completely solved. With the rise of government-driven digital identity in Europe, it is more important than ever to understand how PKI can be an efficient frame for eID and to learn from mistakes encountered by other countries in such critical systems. This survey aims to analyze the literature on the problems and risks that PKI exhibits, establish a brief timeline of its evolution in the last decades and study how it was implemented in digital identity projects.

I. INTRODUCTION

Digital identity is a rapidly growing field, driven by the increasing need for secure and trustworthy online transactions, prompting even governments to take action towards the future of the population. This transition reflects the profound impact of technology on how individuals perceive and manage their identities in an increasingly interconnected and online world. While the adoption of digital identity has yielded mixed outcomes, it bears the potential to endow individuals with social and economic empowerment, with the capacity to unlock economic value estimated to range between 3 and 13 percent of GDP by the year 2030 [65].

\ Digital ID systems, despite being promoted for development purposes, pose serious human rights risks and often suffer from implementation failures. These risks are acknowledged even by proponents of such systems. Unfortunately, there is a lack of comprehensive evidence and monitoring of their human rights impacts. Activists, journalists, and researchers have played a crucial role in documenting these impacts, particularly in cases like Aadhaar in India. The evidence gathered so far reveals that digital ID systems can result in various urgent human rights issues, including violations of the right to nationality, restrictions on access to healthcare, food, and social security, and a range of other concerns [58].

\ Public key exchange cryptography, a pivotal technological advancement articulated even more than 40 years ago [24], underpins the security of public networks, enabling global communication and commerce. To establish trust and identity in digital communication, public keys, and implicitly private keys, must be associated with specific identities. This necessity led to the development of Public Key Infrastructures (PKI), which facilitate the issuance and storage of digital certificates. These certificates verify that a public key corresponds to a particular entity. PKI offers a secure foundation for digital communication by providing authentication, encryption, and digital signatures through the management of cryptographic keys and certificates. It ensures the integrity of data, facilitates non-repudiation, and establishes trust in online transactions. Certificate authorities (CAs), trusted third parties, publish these certificates, connecting public keys to users via a private key. Public key cryptography has played a crucial role in establishing online identity, from traditional PKI and CAs to experiments like PGP’s web of trust, and more recently, the blockchain ecosystem [17] that needs to authenticate the nodes of the networks and use different PKI approaches such as Multi-Layered Approach, Instant Karma PKI or Guardtime Approach [50]. However, this relationship has its disadvantages in such that the shortcomings PKI brings can affect future digital ID infrastructures.

\ The interest of the European Union regarding the usage of digital ID has increased in recent periods, incorporating this vision in the EU developments and since 2021 drafting recommendations towards ”a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework” [22]. As Europe advances toward seamless digital verification, caution must be taken not to create a surveillance state and a centralized ’digital identity’ as it has the potential to erroneously label legitimate users as ’bad actors’. Accumulating sensitive digital information raises security concerns, and misidentification risks hindering legitimate users. Digital verification, like secure blockchain, offers advantages over paper documentation, reducing forgery and theft risks. To succeed, these digital systems must comply with the GDPR and align with the European Commission’s 2020 data strategy, promoting secure and universally usable digital identities within common European data spaces as also stated by William Echikson in ”Europe’s Digital Identification Opportunity” [26]. However, these risks and potential problems ought not to stop the evolution of digital identity that is currently occurring in the world. With the recent pandemic and migration crisis Europe is confronting, adopting a unified electronic identification can help with a potential reduction in customer onboarding costs of 90% [65]. In the end, rather than dividing nations, citizens can prove their identity and ”share electronic documents from their European Digital Identity wallets. They will be able to access online services with their national digital identification, which will be recognized throughout Europe” [37].

\ This survey attempts to explore and reason the problems the PKI systems had and still exhibit after a long time from its introduction, alongside a brief history of evolution in view, ending with electronic ID implementations and failures from different countries. In section II we discuss the big problems of PKI and what risk it presents in incorporating it in different domains. Next, in section III, we attempt to define a timeline of possible infrastructure alternatives that try to solve in part the PKI shortcomings presented and present different views of the architecture. In section IV, we discuss how different countries in the world tried to implement digital identity and sometimes failed. PKI history starts with research report No. 3006 which presented the possibility of secure non-secret encryption. This report was written in Jan 1970 and classified as secret within the CESG British government laboratory [27]. Our survey shows the surprising difficulty of PKI realisation at scale. The European Commission is currently aiming for the largest PKI attempt in history as part of their digital decade (C165 billion in funding [2]). Historical evidence going back 53 years indicates the EU should proceed with caution.

\

:::info This paper is available on arxiv under CC BY 4.0 DEED license.

:::

\