It is September 2025, and the Postbank is not yet ready to be a bank. That was the shocking and utterly unexpected revelation by president Cyril Ramaphosa... read not a single news report after Ramaphosa's appearance in the National Assembly last week.
There are many, many problems with the Postbank, but let's zoom in on the one we can best appreciate in the technology trade, and about which Ramaphosa just couldn't stop dropping puns: card key management.
"The key question is how we move forward to put a bank together, and how we put all key elements together..." the president told Parliament.
Indeed. So, about keys, and Postbank's complete inability to be trusted with them.
Cryptography is literally built to be easy if you come at it from the right angle, and utterly impossible if you approach it from the wrong side. What is true of the computational difficulty of problems is also true about management: start in the right place, work through the steps in their proper order with a decent level of care and attention, and out pops a bulletproof system.
This is not rocket science. Rocket science isn't nearly as well documented as is PKI. Rocket science doesn't have a fraction of the best-practice manuals and case studies and experts who, for really not all that much money, will hold your hand through every part of the process.
Working backwards, we can say with absolute certainty that the Postbank has gone about its cryptography arse about face, because it has never been able to keep a secret key secret.
And from that flows that you can not, under any circumstances, trust the government and its agencies with your keys. No back doors, no escrow, no judicially mandated handover.
We can say with absolute certainty that the Postbank has gone about its cryptography arse about face.
Ramaphosa told Parliament that the Postbank can't get a banking licence because of conditions – those would mostly be Reserve Bank minimum standards – “particularly around its card key management processes”.
This would be the key management that it has been working on, in its latest iteration, since October 2022, when a moratorium on its appointment of IT suppliers was lifted.
For context, that is a couple of months before the world was given a “research preview” of a service called ChatGPT. In the time it has taken for AI to transform every part of enterprise IT, Postbank hasn't figured out how to keep secret keys secret.
That's not where the story starts, though.
Back in 2013 – before phones had overtaken PCs as the primary means of accessing the internet –the SA Post Office with great fanfare launched a Trust Centre that would offer certificates. The efforts of what was then the pre-split Postbank and Post Office to become a trusted vendor suffered a few setbacks, such as when, in 2018, somebody walked out the door with its master crypto key. By, apparently, printing it out, because it was kept in plaintext.
Oh, and that Trust Centre? It had been in the works for a decade, because the Post Office helped write the Electronic Communications and Transactions Act, and was then given vast quantities of public money to build out enabling digital infrastructure.
If this is the South African government's best effort at key management, then it clearly can't, and shouldn't. Don't let its crypto touch yours. If law enforcement legitimately has to see something in your system, bring in consultants as a buffer. If Parliament tries to get weird about encryption and surveillance again, object. If the interception centre comes knocking about traffic metadata, give it to them as PDFs.
Just do not hand over any keys without all the fight you can muster.
Share