I remember discussions in the 1990’s about how to get a PKI infrastructure off the ground. One of the problems being how do you have a trusted PKI provider (the post office was mooted at one point) and another was how do you prove to the PKI provider that you are who you say you are. Without those things it wasn’t really about your actual identity, but more the concept that your message claiming to be X hadn’t been tampered with IIRC. I once had a personal cert from Thawte which was using a ‘web of trust’ model whereby you could visit other people (who had certificates) in person who would verify your documents (passport etc) and sign your cert. Once you had been signed by a certain number of people you could become a signer yourself. I think that didn’t last (and I lost track of my cert!) I suppose it would work for organisations like the university in your example above because they may have a certificate chain for themselves which goes all the way back to a trusted root CA. but even then… the discussions surrounding EV certificates here were illuminating https://twitter.com/troyhunt/status/940308131925467136

I’m no fan of the distributed ledger blockchain for a number of reasons. I’m not sure whether the proposals for it in Identity actually resolve the original problems about trust in PKI, as you are indicating at the end of the article.

So, do you think having a reliable PKI infrastructure will depend upon technology, on process, or some combination of the two?