[DyslexicAtheist]

PKI works. Period. I don't understand how knowledgeable engineers complain about PKI being "too complex". The same people complain that SMTP, DNS and NTP is too difficult too (and claim it can only be solved with external services).

Granted having your own home-grown authentication & identity management "salad", or a very complex system that never addressed identity/authenticity, ... then replacing this with PKI will force you to deal with a lot of technical debt. But don't blame PKI for it.

Blaming PKI has become rampant. Those that don't know can't dispute the nonsense and those that do know may have an agenda (snake oil vendors).

Hating on PKI has become like a bad habit in IoT (vendors see an opportunity to sell trash to an uninformed and ignorant audience). Be careful especially in IoT: There are a lot of snake oil proposals which promise to replace PKI here ... you should run as fast whenever you see these "proprietary, patent-pending, post-quantum-proof, blockchain solutions !! (the correct response to these vendors is: "BEGONE MAGICIAN!").

PKI isn't easy but neither is email, Kubernetes! It's as simply as it can be given the circumstance and job it has to solve. And PKI is essential knowledge as much as Latin is required for medicine.

[coldtea]

>PKI works. Period. I don't understand how knowledgeable engineers complain about PKI being "too complex". The same people complain that SMTP, DNS and NTP is too difficult too

Perhaps as knowledgeable engineers they can understand accidental complexity when they see it.

[therealdrag0]

OTOH it's easy to dismiss something as overly complex before you understand it yourself.

[coldtea]

It's even easier to build something that's more complex than needed, because of original bad design or accumulated cruft.

[therealdrag0]

Definitely agree. Devs are often too comfortable with their first design instead of iterating and simplifying.

[arethuza]

I don't think I've ever heard anyone say that SMTP the protocol is too complex.

However, the systems that people build on top of SMTP (often to address shortcomings in SMTP being too simple) can often be Lovecraftian horrors.

[castillar76]

PKI absolutely works, but the complexity complaint is still valid. I work in PKI, and we often tell people that PKI is difficult to do correctly, easy to do wrong, and nearly impossible to remove once you've screwed it up. That's the fundamental difference between something like PKI and DNS. It's very easy to set up a PKI and get things to trust your chain, but if you haven't done the leg-work to figure out how you'll replace it when it expires/breaks/needs upgrading/gets compromised, you're totally hosed. I've seen more than one environment brought to its knees because it was easy to check the "use certificates for my AD environment" boxes in Windows (just as an example), and then the root CA is on a laptop in Jim-Bob's desk drawer and five years after he retires the whole network goes sideways and no one knows why or how to fix it.

Fortunately, as someone pointed out up-thread, the demand for new PKI being generated not just for SSL by things like Let's Encrypt but also by things like device-aware trust is helping encourage a trend in making it easier to do it correctly and harder to do it wrong. Not quite there yet, but showing signs of improvement.

[syn0byte]

It "works" only at relatively low values of "work". By that I mean you are fine with various governments having complete control as long as it keeps the 14yo moms-basement sorts at bay.

My complaints with PKI aren't technical difficulty but administrative and bureaucratic. Consider; The NSA issues an NSL for all the root keys to YourCA Inc. Now what?

We would flee PKI like rats from a sinking ship if the capacity for a government to obtain any CAs private keys was written into code. But because its written into policy we simply ignore it.

[bdamm]

PKI solves a lot of problems but it sure doesn't solve government making choices you don't like. That's not a PKI problem, though, that's a government problem, and asking PKI to solve that is way outside the arena.

[Aqua]

I'm halfway through the article so far, but I didn't perceive the message as complaining about PKI being "too complex". The author outlines the fact that some aspects of PKI or certificate design are basically remnants of the past that don't make much sense in reality nowadays (e.g. encoding locality, state, and country). The author in fact complains about over-complication and ambiguity of various cert formats, but his claims are not without some merit here.

[DyslexicAtheist]

my comment was in agreement and support for the article and not a critic of it. the article was pretty awesome! I should have made that clearer in my comment, apologies for that.

[commandlinefan]

> complain about PKI being "too complex"

Usually when people complain about PKI being too complex, they're complaining about the opacity of the implementations. Certificates just stop working, and you don't get anything, and there's nowhere to look to figure out why unless you're really an expert on the topic.

[blattimwind]

PKIs work. It's not a necessary condition to use the internet PKI / PKIX to make use of the advantages of a PKI.

[rdtsc]

> PKI works. Period. I don't understand how knowledgeable engineers complain about PKI being "too complex".

Those are kind of two different things. Aircraft work. Brains work. CPUs work. Many things work and are still complex.