| tstraub@gkec.tu-darmstadt.de |
| Computer Science Department |
| Technische Universitaet Darmstadt |
From a user's viewpoint, security in general and PKI (public key infrastructure) in particular are complex matters. According to a recent study [kes04], the majority of security incidents still can be traced back to user errors or carelessness, although users' troubles with PKI-enabled applications are known since the study of Whitten and Tygar investigating the handling of secure e-mail [WT99].
Unfortunately, due to the nature of PKI, user interaction cannot be avoided entirely, e.g. when an unknown certificate has to be imported as a trust anchor. In my work, I am proposing several measures to face the usability challenges of PKI.
One of them is a generic framework to comprehensively evaluate usability and utility of PKI-enabled applications [SB04]. Apart from being a tool to detect usability problems and assess applications, it may as well serve as a requirements specification for application designers.
Another idea is to delegate complex and security-critical tasks to skilled personnel or a service provider. For instance, the protocol described in [Str04] allows an organization to outsource the task of maintaining a PKI in a way that it retains full control and does not have to trust the service provider.