Hi
Todd,
I
hope you can find something useful there.
June
June
Leung PKI Department FundSERV Inc. 1730 130 King St W Toronto ON M5X
1E5 T. 416.350.2516 F. 416.362.6668
Todd,
I can't say that I have studied internal uses of
PKI very much unless one could call a national or bank-system as
"internal". A bank in Sweden have 1 million on-line users using
PKI for authentication and signatures. It seems to be working
fine, although the solution only works on windows as well as being non-mobile
(soft certs). Note that this system is 100%
web-based.
I believe the only internal PKIs of any
importance are to be found in the healthcare sector. Although I'm
personally working in the e-commerce field, I think the real question from my
point of view, is how to communicate between organizations.
Here I think that the models currently deployed based on establishing huge
X.500 inter-organization directories have been very time-consuming and
not always too sucessful. Basically I think this is an
incorrect use of information technology, which will make these efforts lose
value rather soon.
I therefore propose something I call
the "Bank Model PKI" (as it is really an "invention" made by
banks) to minimize the "interface" between organizations rather than
forcing organizations to expose information concerning exployees that few
private enterprises will ever accept.: http://www.x-obi.com/OBI400/pki4org.pdf
regards
Anders
----- Original Message -----
Sent: Wednesday, March 05, 2003
21:27
Subject: RE: [pki-tc] PKI/e-business
IETF draft co-editor
Anders,
Do
you know of any good reference material that has detailed information
regarding an actual implementation of PKI? I'm looking for something that is
sort of a case study that explains what exactly was done, why, and what did
not work and why it did not. Also, for now I'm more focused on internal PKI
systems rather than something used for e-commerce, although an internal-use
system with support for email encryption and digital signatures is of
interest as well.
Thanks,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Todd Colvin Computer Training Specialist SEARCH Group, Inc. 7311 Greenhaven
Dr., Suite 145 Sacramento, CA
95831 (916) 392-2550 Fax (916)
392-3271 http://www.search.org/
David,
The commercial use of digital
signatures is grooving but I claim that the sector I'm most involved
in, B2B transactions, will be one of the last one to use such.
Mainly due to the almost total disconnect between PKI and business systems
not only on a technical ground (the thing the IETF draft is addressing),
but basic questions like what kind of certificates you actually
need. The enclosed discussion papers shed some light on this
question. This part is by the way now discussed in the EU and quite
a number of countries now fully support the idea of legal-entity-only
signatures, in spite of not having a counter-part in the physical
world. Still, a number of people out there claim that this is
"madness".
I also consider business models as
represented by Identrus et al (relying-party-paid) as a sure way to make
B2B stay away from using PKI or rather use their own PKI in a
hub-and-spokes way (the big party issues certificates for their smaller
customers/suppliers to use) which does not scale very well. As Bill
Gates wrote already 1995: There should be no markup on (non-payment)
business transactions over the Internet, just inexpensive software.
But banks, who have strong aspirations in the CA segment, have a long
frustrating journey ahead of them, before they finally will realize that
identification is not yet another payment system. Trust and
identity, in contrast to payments, can be "settled" between two parties on
their own, which makes the difference.
To my knowledge not a single of the numerous
e-invoice projects run by banks over the world use PKI. My guess is
that PKI is rightfully experienced as too messy. Without
working TTPs having reasonable offerings, shared secrets seem much simpler
to deploy as such can be communicated in simple ways including
verbally. PKI is technically redundant unless you achieve a
peer-to-peer based operation which is currently virtually non-existent for
other reasons as well.
The only working PKI markets I know of is Web
server certificates by VeriSign et al and local PKIs supporting
e-Governments.
For individuals, the fact that the smart card
industry have not after 10 years or so managed to come up with a standard
PKI card and built-in support in major OSes, still makes PKI
"non-standard" in the eyes of IS-managers. To store certificates on
the hard disk is not an alternative in a corporate
environment.
BTW, I hope that the PKI-TC will address some
or all of the issues raised here.
Anders
----- Original Message -----
Sent: Thursday, February 27, 2003
22:00
Subject: Re: [pki-tc]
PKI/e-business IETF draft co-editor
The lack of commercial usage of digital
signature technology is about to change.
David Sweigert, CISSP
----- Original Message -----
Sent: Thursday, February 27, 2003
1:17 PM
Subject: Re: [pki-tc]
PKI/e-business IETF draft co-editor
David,
it should give some indications of one
area that I feel does not work to well.
A powerpoint is also
available:
I.e. it is really Web Services that are
addressed as this is what most people believe is where both PKI and
e-business will be in a relatively short period. Below is an
extract from another posting highlighting some basic problems that the
work is supposed to address:
First it is important to note
that digital signatures are virtually non-existent in B2B so what
follows here is "theory". Digital signatures have a major
problem which did not exist in the paper-world. A signature
on paper is a technically imprecise way of giving
"authenticy" to a document. A digital signature on the other
hand identifies the signer in a technically very strong way.
Now, lets say that you have an invoice from ACME Corp (using
any of the rather arbitrary ways to identify this), what is the
stronger part of the identity (i.e. the certificate) supposed to
contain? And even worse, if you use personal signatures what
should these contain? John Doe at ACME Corp? Are business
systems supposed to cross-check between the claimed identity in the
business document and the certificate? I believe so, but here
there is mostly zero interoperability and hardly any normative
documents to find. Consortiums like ebXML don't touch such
issues and PKI folks typically shun business systems like the
plague. In case anybody of this list is interested in this area
(maybe even co-authoring), I'm currently toiling with an IETF draft
(enclosed), trying to "marry" PKI and business systems. It is
worth noting that the e-Government in Sweden have (in their actual
systems), not yet addressed the idea that a citizen of an other
EU-country would use their certificate, which by the way is rather
hard as there is no universal way to express personal identities
either. The qualified certificate standard does not require
globally unique identities so you could even end-up with name
conflicts! PKI is unfortunately an immature technology
originally designed for sending e-mail between individuals which is
rather different to sending messages between or to "machines" as the
latter only "compute" which is not equivalent to humans'
"understand".
Best
Anders R
----- Original Message -----
Sent: Thursday, February 27, 2003
17:08
Subject: Re: [pki-tc] PKI/e-business IETF
draft co-editor
A short note:
It sounds
like you are seeking standards on the process of
web-access control an dauthentication. Can you please
define "e-Business" systems in a more clear manner ?
David
Sweigert, CISSP
----- Original Message ----- From:
"Anders Rundgren" <anders.rundgren@telia.com> To: <pki-tc@lists.oasis-open.org> Sent: Thursday, February 27, 2003 10:25 AM Subject:
[pki-tc] PKI/e-business IETF draft co-editor
> Dear List
members, > > PKI/e-business IETF draft co-editor >
----------------------------------------- > I am trying to find
somebody else who have also worked with combining > e-business
systems with PKI. This is currently an unusual combination
in > spite of all that we have heard about the value of digital
signatures. Due to > this fact, there is an immanent need for
addressing this, and in my opinion also > a need to create
one or more Internet Drafts. However, in
applicable standard- > groups like IETF's PKI Working Group,
PKIX, there is to my knowledge hardly > any persons with
suitable backgrounds for such a task. Therefore I
am looking > in other places for a co-editor, or at least
somebody to try new ideas on :-). > >
=========================================================== > In
case you or somebody you know of, could be suitable, please contact
me ASAP! >
=========================================================== > >
These are the approximative "requirements": > > -
Knowledge of business systems architectures and
technologies > like Web, SQL and XML > >
- Basic knowledge of PKI > > - An genuine interest in
user- and deployment-related questions > > - Basic
capability of reading technical standards documents > >
Note: This effort is mostly technical but if there is somebody
out > there with an interest in CA business models and
liability, this > is also of interest! > > This is
an initial effort to study: > http://www.x-obi.com/OBI400/draft-rundgren-pkix-pnppki4ws-00.pdf > > Unfortunately you don't get paid by
IETF, the best you can hope for > is that a draft is
approved... > > In case the OASIS PKI-TC is interested,
this could be turned into > an OASIS effort. > >
Best Regards > Anders Rundgren > Senior Internet
e-Commerce Architect > +46 70 - 627 74
37 > >
|