One of our jobs as analysts to provide insight and vision on what an when things are going to change and how it is going to happen. Sometimes though, my fellow analysts are far off with their predictions, sometimes one just underestimates the market pull or some impressive marketing stunt one of the vendors pulls to push the cause. Other times, for example with PKI, the real hype never materializes – but nevertheless the technology silently grows and matures and never really vanishes.

Lately, I was doing some work with Entrust and they were curious to hear that I had been tlaking to some companies who had actually come up with plans of deploying a PKI in near future. No kidding! We even saw the complete raza&rebuild of PKIs where Fraunhofer has created a new competence center around PKI and set up a new, TeleSec signed root-CA. Fun thing is, they are even offering 3rd person certificates free of charge! At least to their communication partners – and it is a still in the evaluation phase.

Besides, PKI “v2″  seems to have become more or less part of the infrastructure, as some smaller companies just decide to go the KISS way and deploy a Microsoft PKI (not that it is easy to create one works, and works the way you like it to work – thorough planning is recommended!). Fun thing is, I even heard vendors say: “uhhh, if it is only x,000 people and it is just for authentication – do your customer a favour and stick with a ´simple´ solution”. By `simple` one meant “low on license cost and maintanence”, at least that is what I derived from it.

Anyway, integration and proper use is always key to the success of such a technology and thus I am pretty sure that if there is a use case and a direct application, any company can benefit from setting up a PKI. Especially in those situations where there are tokens and/or smartcards available as certificate containers, that are used as comapny badges or access tokens for PACs or time & attendance solutions. Hm, … now I do sound like Mr. Self-Fulfilling Prophecy, don´t I? Anyway, if I use my crystal ball I definitly see more integration and thus convergence, and PKI with multifunctional smartcards are part this as well as the use of SSO and centralized IAM!

In spring this year I was accompanying a friend and business partner of mine to shadow him on a visit to one of the “Managed VoIP Service” vendors, as he (my friend) is also running a small System Integrator company. Technology wise, this was quiet interesting as the vendor had some decent developer resources working on their own “linux distro” as core of the VoIP service. After we had gone through all the security detail regarding this approach (which is why I was there, after all!), the discussion turned towards the client and their use of the tool. As with any “messaging” solution introduced lately, the client GUI consisted of a narrow side-panel, to be positioned at the right hand side of the screen. Why do I tell you all this? Bear with me…

Take Skype for an example (not the current beta though! If anybody from the dev group there reads this:  wrong direction guys! The GUI is BAD), the original GUI is nice, it can float, you can resize, tweak, what you like. Better even: TRILLIAN, the multi-messenger tool. Transparency, skins, all available. Well, our friends from the VoIP service vendor were all good down to earth techies. But no “trekkies” for sure – as their GUI looked like it had been designed during the “Windows for Workgroups” design phase and never changed since. For me it obvious, that rock-solid technology is a MUST – but great UI design can be a unique selling point most vendors seem to underestimate.

Now that I came across PINoptic and they showed me what they had to offer (e.g. visual one-time-pads for mobiles) I was very much interested. Not that no one else before had the great idea of using icons and pictures to verify ones identity or to authenticate – tools like these have been available for the PALM III and PALM V as well as for Windows Mobile (almost) ever since! But these guys took a mathematical approach to it and extended the scheme PIN-like scheme with a crytographic backoffice system. So, instead of putting in your in 4-6 digit PIN at the ATM (Geldautomat, for our German readers ) you touch the buttons representing your “story”: man – house – bird – key.  The next time the icons might be mixed thouroughly, showing a totally new number-block, with the icons mapped to other buttons. Actually, a nice way to put in your PIN, and with the use of out-of-band back-channels (use your mobile phone to enter the “derived PIN”!) quite a secure way to authenticate. Hard to explain, with no visual, so go and check out their demo at
http://www.pinoptic.com/ or help them with the “research data verification game” (clever way to do this, despite the fact that I unsure if I would WANT to put in my details for the “lottery” here – anyone seen the “Mercury Puzzle”???).

Anyway, have fun and procrastinate a bit at http://www.pinoptic-challenge.com/