In 1928 Herbert Hoover said "A chicken in every pot and a car in every garage", suggesting under his leadership everyone was going to get a fair deal.
Well I have a slight variation on this theme, I want to see PKI have a fair deal of its own; deploying PKI enabled applications is hard for one primary reason the need to deploy additional infrastructure Kerberos applications (in a Microsoft environment) no longer have this burden because every DC is a KDC.
There are lots of reasons why this has not happened yet, one of the most significant being the refusal of PKI to “grow up” by that I am referring to its bumpy history and its resistance to the changes necessary for it to be broadly deployed. X.509 was originally published via the ITU in 1988, there have been numerous revisions of the standards around this format but the important thing is that back when it was introduced it was really only of interest to financials and governments who could accept the burden associated with deploying this complex technology.
As a result the solutions that used X.509 focused on the scenarios and requirements of these customers, and as they started having success with these customers they tried to sell the same products to enterprises and e-commerce the problem is these customers (if they realized it or not) had different requirements given their risk profile and scenarios.
Entrust was probably the first CA software provider to realize this with their introduction of auto-enrollment, and Microsoft followed with their own solution which has become the staple for enterprise PKI deployments. Despite this one key problem still remains, one has to choose to deploy a separate infrastructure to support the most basic of scenarios involving PKI, in Windows 2000 Microsoft addressed this problem by integrating Kerberos into the DC I suggest the same thing needs to happen for PKI.
If you look at the Layer 2 networking space there are literally hundreds of weak mechanisms to authenticate you to the network, from my perspective there are really a few reasons why this is the case:
1. There is no secure, standards based password mechanism that can implemented by all classes of devices (reasonably) that participate in a network.
2. The secure methods that are available today require the deployment of a PKI to get auto-enrollment or the manual management and acquisition of certificates from a third party.
This means enterprises are left with the traditional choice of cheap, fast or secure choose any two; when it comes to network access and running a business cheap and fast always win.
One way to fix this (IMHO) is to remove the deployment barrier for the secure scenarios, get every domain controller to have a certificate authority on it and make it as easy to get a certificate as it is to get a Kerberos ticket.
This would allow for broad deployment of certificates for both servers and users and be a real enabler for seamless network access; I am not suggesting this by itself will solve the problem but its most certainly a step in the right direction.