News.  Information.  Education.  

Ask PKIForum.com is an interview feature where you have the chance to ask the experts questions of your own.

Don't forget to read Part Two of our EXCLUSIVE interview with Prof. Spafford.

Is there someone that you would like to see interviewed? Make a suggestion! Please send an e-mail message to

You can to our low-volume mailing list for e-mail notices of site news, contests and more.

To subscribe to our newsletter, please send an e-mail message to with the subject line SUBSCRIBE.

PKIForum.com is an independent news, information and education organization focused on public key infrastructure (PKI).

To contact PKIForum.com, please send an email message to

If you are interested in sponsorship opportunities at PKIForum.com, please send an email message to

Thank you for visiting PKIForum.com! We hope to see you again soon.

 EXCLUSIVE INTERVIEW: PART ONE

<<< Page 1

PKIForum.com: What kind of changes could be made from the infrastructure side to bring about the kind of security that you're talking about?

Spafford: Paradoxically, the network provides us with a great medium for many things, many of which are in conflict with each other. So in one sense, it gives us the ability to have some truly anonymous participation in things. Whether they're marketplaces or bulletin boards and chatrooms, expression for political speech, [or] all kinds of things that can be done anonymously.

But anonymity also can be a shield for people who are doing things that are wrong and [that] we want to stop, whether those things are breaking into systems, e-commerce systems, money laundering, slander, libel -- those kinds of issues. What we need to do is to think about for the network infrastructure: can all this be accommodated in a single network or are we better off in trying to develop some different networks that have different rules of operation, [and] that are regulated differently? That's one of the things that we're going to have to look at.

To realize the promise, for instance, of digital government or of e-commerce, we're going to have to have some stronger authentication mechanisms. We're going to have to be able to deal, for instance, with denial of service [attacks] and, perhaps, technologies that won't allow packets to traverse a corporate firewall or even traverse the network unless its cryptographically -- unless they're cryptographically signed, might be one approach.

I can't say for certain what is going to be the best combination of things but we need to start looking in that direction. We continue to have this very strong philosophical extremes where one group is going, "We must have anonymity, it has to be allowed for political speech and for personal privacy," and others [are] saying, "No, we have to have strict accountability to be able to enforce the laws and otherwise." They're both right!

The problem is that they both want to impose those rules on the same arena, and that isn't really what we're going to be able to build for the future. There's enough fiber going in, there [are] enough communication channels that there's no reason that we can't run multiple channels, multiple virtual networks. That's one approach. But the problems are not so much technological as they are political and economic and philosophical. Those are, really, the big challenges -- to get people to agree on things and to be able to afford them, especially as we're going to a global network.

PKIForum.com: How much of the security issues are ethical issues and how do ethics play in this whole environment?

Spafford: They certainly play a role. And in part -- from the standpoint of looking at ethics -- it's within a social context. The things that govern our behavior are partly driven by ethics, partly by etiquette, partly by tradition and -- certainly -- partly by law, because the computing technology is relatively new. The PC just celebrated its 20th anniversary. The network has only been used for commercial purposes for about seven years. That's an incredibly new arena.

The numbers that I've seen indicate that the population online has been doubling about every nine to 11 months for years. This is a trend that has been going on for a long time. You can trace out those figures. Which means right now, at any point -- whenever "now" is -- the majority of users have been online less than a year. So where do they learn proper behavior? Not simply etiquette, or not simply ethics but etiquette and building a sense of community, knowing what's right and wrong in that regard we haven't built that up. We don't have the standard techniques to teach that.

And it's not something we can just spring on adults. We have to start at an early age and build it in as part of the whole thought process of understanding "What is property?" That's going to be a big issue. What is someone's personal space online? What's appropriate to do when you find an open door, for instance. We do that in the physical world. We have not done a very good job of that in the electronic world.

"Security is an absolute that we can never achieve "

PKIForum.com: So how would security come into play here?

Spafford: Well, a lot of people in the field have been talking about assurance because security really is a property that's an absolute that we can never quite achieve. A system is secure or it's not. What we're trying to do is we're trying to find ways of increasing your trust in those systems to give you a greater assurance that they'll operate in the way that they are supposed to, and if we think of that in the broadest context, it's not simply technology. It is also affecting how people interact and how they view the systems, affecting what laws govern it, affecting when it can be accessed, where it can be accessed, how it works in a global arena.

[There are] a lot of challenges ahead for us! Sometime in the next five years, the majority of users on the Net will have Chinese as their primary language. How's that going to affect what we're doing now with the network -- that big change? We're already seeing that now. A lot of people [are] getting massive amounts of spam in character sets and languages that [they] have no idea what it is. It's going to get worse. And we're dealing with ethics, religion, laws, [and] customs in over 200 countries around the world. Whose are the right ones to impose on a global arena? We've got a long way to go before we know the answer to that.

"PKI poses a number of difficulties for privacy, for organizational control and for liability"

next >>>

 Copyright © PKIForum.com^TM 1999-2003. All Rights Reserved.  The PKIForum.com logo and "PKIforum.com" are trademarks of PKIForum.com and its proprietors.