so this article over at k5 is pretty cool. discusses how the military has set up the world's biggest PKI (Public Key Infrastructure) and has issued over 6 million smart cards that employ it. pretty impressive. be sure to read the linked pages. (use a tabbed browser ;) )
i did a paper on PKI in my first-ever security class. its a pretty cool idea, but really only possible in a context like the military. the whole chain-of-command thing suits PKI very well. all attempts at trying to do this in a corporate environment seem to have problems and don't seem to be all that well-supported by the execs.
so my thoughts are that this is very similar to the SSL CA problem facing the internet these days. right now, if you want to get a secure internet site (i mean officially secure with valid CAs and all), you have to pay for a CA for each site you want to lock down. every subdomain, everything. so what do people resort to? only buy one certificate and have the server identified in that cert host all secure transactions. sure, it works. its not even that big of a deal. but why?
there should be a hierarchy of CAs beyond the corporate monoliths (verisign, thawte, etc). there should be a US CA which assigns national-level certs. there should be state-level CAs, signed by the national ones, which give out regional certs and University certs. the hierarchy of public servers is obvious. this way, when a University student needs to host a secure webpage, he doesn't have to spend $90 for a single-server cert. instead, he can be issued a cert by his Department, which is signed by the University, in turn by the State and the US CA. what about end-users? browsers will have to add the US CA certificate as a "root-level" server. too much trust in the government? well why do you trust the 10 Verisign root-certificates already installed in every browser on your computer? why not add one for the government. allow free, public network security.
the same infrastructure could be used for a PKI. every government employee (or student, or whatever) should be able to use public-key-crypto without any effort. i should be able to email my mom securely and she should be able to read it. she shouldn't have to build a PGP web-of-trust or buy a certificate from Verisign. when she pays her taxes, or gets her drivers license, these things should just happen too. why not?
a government is built in a hierarchy: nation, state, region, person. why not take advantage of that? i understand that politics will always get in the way of developing these ideas, that the NSA (or whoever) will try to block individual encryption, but ignore that (please). suppose the NSA gives up and realizes that encryption is coming to the masses and that it is actually a good thing. in order to serve the people best, the government would take what they've learned with the guinea-pig military and apply it to the nation (see GPS, etc). maybe im a big security-nerd and none of this is that important, but hey. i think its possible.
call me a commie, but i think that people shouldn't have to pay some arbitrary company for secure communication and publishing, we already have a hierarchical infrastructure in place called the government. its how roads and schools are built. why not use it?