 |
|
|
|
|
News. Information. Education. |
| Ask PKIForum.com |
|---|
|
Ask PKIForum.com is an interview feature where you have the chance to ask the experts questions of your own. Is there someone that you would like to see interviewed? Make a suggestion! Please send an e-mail message to
|
| Subscribe |
|
You can to our low-volume mailing list for e-mail notices of site news, contests and more. To subscribe to our newsletter, please send an e-mail message to with the subject line SUBSCRIBE.
|
| About PKIForum.com |
|
PKIForum.com is an independent news, information and education organization focused on public key infrastructure (PKI). To contact PKIForum.com, please send an email message to If you are interested in sponsorship opportunities at PKIForum.com, please send an email message to Thank you for visiting PKIForum.com! We hope to see you again soon.
|
| Professor Gene 'Spaf' Spafford | |||
|---|---|---|---|
| BOOKS ETC HOME INTERVIEW BIO PART ONE PART TWO LINKS | |||
|
EXCLUSIVE INTERVIEW: PART TWO |
|||
|
In Part One of our exclusive interview, Prof. Spafford discussed:
PKIForum.com: Could you talk about the needs of key backup and recovery by trusted third parties? Spafford: If the regulation goes into place to support that -- so that there are some guarantees of protection, liability and so on -- then it's a very good idea, both for individuals and for companies. Encryption is a powerful tool that gives us a great deal of confidence. As I was saying, it increases our trust, it assures our systems and our communications. But if it results in us losing access to vital information we have a terrible problem. And so it's critical that we be able to recover/regenerate those keys, or have alternatives to using them. We can do those. We can do self-escrow but I don't think that's a solution for people in home markets or small businesses because a disaster that wipes out their main system may take out wherever they've stored those keys. So we really need to go to third parties. But they have to have protections under the law against theft [and] fraud, otherwise that [protection] has to be at a higher level than it currently is because they'd be on the receiving end of huge lawsuits for disclosure. It's not surprising that no one's really stepped up and decided to do that yet because of that problem. PKIForum.com: Please explain how third parties can store these keys safely. Spafford: Well there's probably going to be a range of those depending upon the value of the keys. So for home users, who have a certain level of need, then perhaps making multiple CD-ROMs [or] DVDs with the keys and storing them in protected locations might be sufficient. For master keys that are used for big financial institutions or government agencies, you might actually want to etch the keys into nickel plates and put them under armed guards in salt mines in multiple locations so you don't lose them. A lot of that has to be based on risk analysis. Putting them all in one building is not a good idea, because if that building has a fire, or a plane crashes into it, or [there is] an explosion or employee theft... there are the problems. It becomes a really interesting problem how to deal with that. And what if you encrypt them with your own key? Well, now you have another problem of protecting that key.
PKIForum.com: You've talked about the need for education among consumers and the average user. What about on the business and industry side? What kind of education issues do you see there? Spafford: We have education at a couple of different levels. The one that's closest to me -- as to what I do -- is at the level of the graduate education [or] university education arena. We have nowhere near enough trained individuals in academia who are working in this regard. A few dozen people are in academia who do more than encryption and who have some experience and knowledge of the area, offering classes training graduate students. In North America we may be turning out three or four Ph.D.s a year in this arena who really know the material, and the majority of them are not going back into academia, so we're not doing anything to really grow the population in the way we need. At the undergraduate level, at the masters degree level again, we're probably producing in North America in the neighbourhood of 4,000 to 5,000 [graduates] at the most but the demand is up in the 400,000 to 500,000 a year numbers and so there's a big shortfall. All of those are the people who would go out and teach others or build the products that have the features that we need. That doesn't even begin to get to the point of 'how do we teach the general public?' There, however, we can get some leverage by including the education in other mechanisms. Children in particular, we teach them a lot by what they see as part of their television shows, the stories they read in grade school to learn to read, the nursery rhymes that they sing, the games they play. So if subject matter specialists develop those [materials] that include the right [security] principles then we can reach a wider audience, but it's going to take time because they're going to have to learn it early and then mature up through successive age levels. So we have a long ways to go across the spectrum. PKIForum.com: How familiar are you with the security situation in Asia? Spafford: Very little. I have spoken with people from Korea and Japan, and their awareness lags behind ours by a year or two. There are some who are very, very aware, but the majority are not quite where we are yet. But that's purely subjective and not based on a lot of data, so I have to qualify that heavily.
|
|||
|
Copyright © PKIForum.comTM 1999-2003. All Rights Reserved. The PKIForum.com logo, "PKIForum.com", "PKI Forum.com" and "PKI Forum" are trademarks of PKIForum.com and its proprietors. |