An excerpt of a recent slashdot post:

“… I wanted to ask the Slashdot community, what do you think the hold up is (regarding use of encryption)? Are the existing protocols somehow not good enough? Are the protocols fine, but not supported well enough in software? Is it too complicated to manage the various encryption protocols and keys? Is it ignorance or apathy on the part of the IT community, and that we’ve failed to demand it from our vendors?”

I think I’d go with a few core issues on this one…

First, a large part of the development community is is ignorant of the encryption technologies and how to make them work.

Second, a larger problem is the greed of the existing trusted root authorities. Most individuals are not willing to expend the ridiculous amount of money required just to assert their identity. IMHO it’s an evil exploitation.

Third, and most important. The meat of the problem is ‘identity’. How do I prove who I am? PKI cannot solve this. Why? Because I use several machines to interact with the web not one. If any of these machines, some of which I don’t control, are compromised then some other party can act on my behalf. No machine is secure enough for me to trust it with that kind of control over my online identity.

Thus we are where we are, PKI is expensive and not well understood by most developers. Further, even if this were overcome it would not server as proof of who I am. To truly address the issue a completely new technology/approach is required. I rather doubt we will see a solution in our lifetime.