PKI vs. PGP

George Ou writes on his ZDNet blog:

Phil Zimmermann criticizes existing VoIP cryptographic solutions for relying on PKI.  Given the fact that Zimmermann’s PGP technology has always been an alternative to PKI based technologies, one can expect a bit of a natural bias against PKI-based solutions.  Just about every other PKI-alternative cryptography company has gone as far as declaring PKI dead even tough PKI has been thriving for the last decade with E-Commerce leading the charge in a massive global PKI implementation.  I’ve personally designed and deployed many PKI solutions for large corporations for all sorts of security applications ranging from remote VPN access to wireless LAN security, and I can attest that the technology is simple, scalable, and reliable.  It’s an undeniable fact that any solution that promises to bypass PKI always end up being more trouble than it’s worth.

While there does seem to be growing evidence of PKI "winning" the war of trust, this is likely not a zero-sum game – the two can coexist easily. In fact, Zimmermann highlights the real difference quite clearly – either a hierarchical, organized key management system (PKI) is useful within your enterprise, or it’s not (PGP). And if you have both, you build a bridge.

It is surprising to read Ou criticizing Zimmermann’s bias without addressing his own (as a "personal designer and deployer of many PKI systems"). What’s more, to suggest there is such thing as an "undeniable fact" within the confines of his argument is outright laughable and stoops to the kind of rhetoric people use to support a weak argument. I am not sure why he chose to use this kind of "chump change" in an argument that I believe is fairly strong to begin with.

As with all technology, PKI is always evolving. What may have been true 7 or 8 years ago isn’t necessarily true today. Key management and identity validation have always been the strong points of a PKI, and always will be, but there are many, many hybrid solutions (Certificate Management Solutions?) out there that are good enough for whatever problem they are trying to solve.