David,
it should give some indications of one area that I
feel does not work to well.
A powerpoint is also available:
I.e. it is really Web Services that are addressed
as this is what most people believe is where both PKI and e-business will be in
a relatively short period. Below is an extract from another posting
highlighting some basic problems that the work is supposed to
address:
First it is important to note that digital
signatures are virtually non-existent in B2B so what follows here is
"theory". Digital signatures have a major problem which did not
exist in the paper-world. A signature on paper is a
technically imprecise way of giving "authenticy" to a
document. A digital signature on the other hand identifies the signer
in a technically very strong way. Now, lets say that you have an
invoice from ACME Corp (using any of the rather arbitrary ways to identify
this), what is the stronger part of the identity (i.e. the certificate) supposed
to contain? And even worse, if you use personal signatures what should
these contain? John Doe at ACME Corp? Are business systems supposed
to cross-check between the claimed identity in the business document and the
certificate? I believe so, but here there is mostly zero interoperability
and hardly any normative documents to find. Consortiums like ebXML don't
touch such issues and PKI folks typically shun business systems like the
plague. In case anybody of this list is interested in this area (maybe
even co-authoring), I'm currently toiling with an IETF draft (enclosed), trying
to "marry" PKI and business systems. It is worth noting that the
e-Government in Sweden have (in their actual systems), not yet addressed
the idea that a citizen of an other EU-country would use their certificate,
which by the way is rather hard as there is no universal way to express personal
identities either. The qualified certificate standard does not require
globally unique identities so you could even end-up with name conflicts!
PKI is unfortunately an immature technology originally designed for sending
e-mail between individuals which is rather different to sending messages between
or to "machines" as the latter only "compute" which is not equivalent to humans'
"understand".
Best
Anders R
----- Original Message -----