Saturday, February 07, 2009


How important is Identity Based Encryption?

Luther Martin of Voltage published a blog entry entitled How important is IBE? which I will provide some deeper analysis on...

Voltage primarily makes much of its revenue from email encryption which is a solution to a problem that helps enterprises comply at the expense of their customers customers.

Consider a scenario where I may be an independent insurance agent who does business with dozens of insurance carriers such as AIG, Travelers, Chubb, Progressive and USAA. The insurance ecosystem has lots of personally identifiable information from your drivers license which is used to do Driving record checks, to social security numbers for credit scores to health information on the chance you crashed your overpriced SUV into a bridge and bled all over the dash. So, what do you think happens to this small independent insurance agent if Travelers chooses ZixMail, AIG chooses Voltage, Chubb chooses Tumblewed, Progressive chooses PGP and so on?

The answer is actually disturbing in that the user would either be forced to pay for client software licenses in order to be able to read his email in his own inbox or he would be required to establish a yet another credential (as if he doesn't have enough already) and read his email from other than his inbox. Does this feel right to anyone especially when there are standards-based approaches that could be had?

Why hasn't Microsoft championed interoperable email encryption? Could the Microsoft Exchange team solve this problem in an open manner and work with the folks over at Sendmail or Postfix? I have been working on a document that I hope to publish (it will be under Creative Commons) shortly that will outline some ideas on exactly how this should work. All I need are some names of some folks in these communities that would read, review and if in agreement, would take swift deliberate action in moving towards implementation of an interoperable solution.

Another aspect of IBE that I find somewhat troubling is that the conversation has centered around openness in an somewhat sinister way. Anyone can take the IBE algorithms and inspect them which is useful for the cryptography crowd but otherwise is incomplete. For example, being a member of OWASP, we don't review algorithms to determine security but we do look at APIs and implementations and in this scenario, OWASP cannot build a reference implementation, share it with others in an open manner, etc, so there is no way to understand it is truly secure.

PKI has multiple implementations ranging from closed source offerings such as Microsoft certificate services to open source offerings such as EJBCA, OpenSSL and so on. The ability to choose from open and closed offerings and offer the opportunity for deeper inspection is vital to the security of the IT ecosystem. Hopefully, the folks over at Voltage will champion the creation of open source alternatives in order to get the value proposition of IBE out to others to touch more deeply.

How come identity-based encryption isn't part of identity management? If I am an employee and I get keys to sign and encrypt, shouldn't the PKI solutions from Voltage, ChosenSecurity, Verisign, etc be managed from my identity infrastructure? Why aren't these types of vendors also thinking about SPML?

It feels to me that IBE could offer immense value if/when integrated into an ECM architecture. The ability to encrypt documents and content using this public key model is a lot better than PKI as it has many of the same characteristics of email, yet I haven't found evidence that IBE is even on the radar of smart ECM industry analysts such as Nick Patience of the 451 Group or Alan Pelz-Sharpe of CMSWatch. Equally, I cannot find evidence that anyone in the ECM community such as the folks over at Nuxeo, Alfresco, Joomla, OpenText or Filenet also understand its value. Here, I will cut Craig Randall of Documentum some slack as he would more than likely be forced to leverage RSA products which are counter to the IBE thinking.

More importantly, I don't understand risk of deploying IBE. If I have a PKI deployment that leverages MD5 and the RSA algorithm and they break, I don't loose all my primitives. I can still switch out RSA for elliptic curves and MD5 for SHA-256 and keep rocking. If IBE breaks, what other algorithms could I switch it out for.

Anyway, I don't have expectations of transparency on this subject, simply sharing whats on my mind. I do hope that the cryptography crowd, folks at Gartner and Forrester and software vendors will think about IBE and how it may work in large enterprises...

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?