Paul,
Thanx for the information. It looked OK but
the authors have reduced the scope to x.509-related things that is not where the
major problem is today (as existing PKIs are mostly local).
I can report from Sweden that the e-governments
have practically came to a standstill, not due to x.509 issues but due to
the business models of the CAs involved. One of the CAs requires end-users
(citizens) to perform a time-consuming operation and pay some $30 to get a
certificate, while a consortium of banks provide certificates for free by
clicking on a button in the citizens on-line bank. I can testify that this
is really nice. However, the "verifier" have to pay 25-60 cents for
each status check as described in the following document: http://www.x-obi.com/OBI400/e-government-ID-A.Rundgren.pdf which
works fine for the yearly IRS-declaration but not at all for frequent login to
health-care portals etc.
Personally I believe the destiny of the four-corner
model is the single most important question for wide-spread use of PKI in the
society. A delegation of public sector officials will talk to the
Swedish government this fall and require CA business model
"normalization".
Another problem is that we still don't have a cheap
and standardized key-containers (smart card or similar) supported directly by
the OS vendors.
br
Anders Rundgren
----- Original Message -----
Sent: Wednesday, June 25, 2003
19:35
Subject: [pki-tc] EEMA pki Challenge
papers
At Steve Hanna's suggestion, I'm providing links to some
significant papers that are now available to the public and that we can
leverage in our work.
The European Electronic Messaging
Association (EEMA) worked to carry forward the Challenge work of the EMA in
North America in the form of their pki Challenge (pkiC). They made
considerable effort to identify issues that impact interoperability and the
deployment of PKI. They have succeeded in producing exceptionally useful
materials that advance the understanding of PKI deployment issues. The EEMA
reported out their results in April and released three additional papers last
week.
The most applicable document to the PKI TC is the paper titled
"Challenges for
the PKI Industry" (92kb pdf). Aimed at standards bodies, the
European Commission, other groups with an interest in this area, and other
participants, this paper outlines some of the technical challenges still
facing the industry. Steve and I agree that it is an especially clear
analysis of some of the main problems that must be addressed for PKI to
succeed.
For those in the vendor community, I suggest reviewing
the pkiC's "Recommendations
for vendors" (112kb pdf). This document considers the implications
for the vendor community in light of the conclusions of the pkiC, and makes
recommendations about the features and levels of support for standards that
PKI products should exhibit to encourage interoperability between users of
different vendors' products.
An excellent read for organizations that
are embarking on a PKI deployment is their "Best Practice of
PKI users" (129kb pdf). All PKI products are highly
configurable. This paper aims to provide guidance to those organizations that
wish to benefit from the services they can deliver, but who also wish to
deploy and use PKI in a manner that maximizes the chances of interoperability
with other PKIs.
The final pki Challenge
report (501kb pdf) was released at Infosecurity Europe, London, on April
29 2003. You can also download a FAQ
sheet (36kb pdf) showing the highlights of the full report.
Steve
and I encourage everyone to read these as important background for our work,
although the survey may also turn up other important
issues.
Regards,
Paul Evans
|