PorKI: Making PKI Portable in Enterprise Environments

PorKI is a keypair management tool for use on PDAs and smartphones. Through the use of proxy certificates and Bluetooth communication, it allows users to employ their long-term PKI credentials for authentication on potentially untrusted workstations without exposing those credentials to attack, and without requiring special drivers or software on the workstation. Moreover, if the workstation is equipped with a keypair and a signed statement from its administrator, PorKI can limit the capabilities of the temporary credentials issued to it. Such a statement might include information about the machine's location, its configuration, or who has access to it. This, in combination with policies configured by the user or by the relying party, can help both place an appropriate level of trust in the workstation without requiring the user to have specialized knowledge. Based on our experience with the working prototype, PorKI has the potential to be a highly usable way for average users to transport and use their PKI credentials securely in a variety of environments. In a brief talk, I will sketch the design of PorKI, its potential and limitations, as well as what other capabilities we're considering building into it.