[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pki-tc] Measuring the success of PKI [was: PKI-TC charter issue]
Stephen, I believe it is _much_ too early to tell where PKI _really_ is going. For example, it is in fact technically possible to use a passport-like PKI for numerous entirely different purposes including on-line banking, e-gov services, login to the enterprise etc. That is, this single credential can be used to point to resources or capabilities of the holder. 3D Secure is an example of how smooth this can be. You can have a credit card as a "virtual capability" at the issuer bank and only use the login PKI for using it. Merchants only "see" your virtual credit card NB. Why would this scheme have any chance on the market? Well, it does allow you to revoke and renew [potentially] your entire "e-power" in ONE operation. If such a PKI is run by banks you could actually do this globally and the associated banks could maybe charge some $10-$25 for it annually. No other CA structure is likely to match such an ID network. We may actually need this when we start to DEPEND on PKI. Having 10 different more or less local PKI cards in your wallet will be a nightmare to revoke and renew if you happen to get mugged or similar on the wrong side of the globe. The HUGE difference with the current situation is that credit-cards is only about money while the embedded PKIs you mention, vouch for things you cannot get from any but the actual source. If this will be established or not depends on many factors, the most important is probably the business model. The so far dominating business model within the financial sector known as the Identrus four corner model have so far not delivered much as it is essentially "call collect" and that is hampering acceptance. Stay tuned. For another decade or so :-) Anders ----- Original Message ----- From: "Stephen Wilson" <swilson@lockstep.com.au> To: <pki-tc@lists.oasis-open.org> Sent: Tuesday, May 31, 2005 21:45 Subject: Re: [pki-tc] Measuring the success of PKI [was: PKI-TC charter issue] Anders I think you and I might be closer in our views than it appears. I think the future of PKI is embedded digital certificates. When I said that ubiquitous use of digital signatures by the general public need not be the best way to measure PKI's success, I meant to say "overt" digital signatures. But I too see embedded PKI, delivered via EMV and other types of smartcards and portable devices, as taking over. I wrote a paper for the American Bar Association about this a little while ago. See www.abanet.org/scitech/nosearch/eblast/eblastarticle1.html and an extract below. Cheers, Stephen. -------------------------------------- PKI without tears January 2003 Abstract Traditional Public Key Infrastructure (PKI) is unnecessarily complicated. Largely as a result of early misconceptions that we needed an all-purpose digital passport to do business on the Internet, traditional PKI has become overloaded with invasive personal identity checks and complex legal arrangements. To make things worse, early software implementations brought out explicit details of digital certificates, necessitating unusually intense user training. To try to support stranger-to-stranger transactions, user agreements for general purpose certificates have required people to read and understand huge and forbidding Certification Practice Statements. And yet the business benefits of going to all this trouble remain controversial. Most of the burden of orthodox PKI derives from trying to create the all- purpose digital identity. In day-to-day personal commerce, this is famously analogous to a drivers licence, but in the professions and in business, a single identity is uncalled for and unprecedented. PKI tends to deliver its greatest benefits – automatic paperless processing, reduced legal risk, lower cost of dispute resolution – in high value, high volume, specialist applications, where digital personae are application-specific. There are new PKI models where the cryptography is embedded deeply into smartcards, to much the same extent that complex ferromagnetic technology is built into all the other plastic cards we take for granted. Application software can be engineered so that all digital certificate functions are automated; smartcards can be issued to professionals and business people under existing terms and conditions which reflect the users’ standing. The user experience then becomes the same as with any conventional access card. We can do away entirely with the need to read and understand complex Certification Practice Statements and Policies, sign up to unusual Subscriber and Relying Party agreements, or undergo esoteric technical training. Thus the underlying PKI becomes true infrastructure, used purely to automate paperless transactions between parties who are already accustomed to dealing with one another. This paper presents a fresh look at the business drivers and true benefits of digital signatures, and shows how application-specific PKI can deliver the benefits with better usability, zero registration overhead, reduced training costs, simpler liability arrangements, and streamlined accreditation. The paper is aimed at regulators, policy analysts and e- business strategists with an interest in the future of PKI. -------------------------------------- > c-i-l > > Stephen wrote: > > >Sorry Anders, I am not totally sure what you mean by "web sign". Do you > >mean applying digital signatures in thin client web apps? > > The following is a fairly good description of web sign. Page #6 is the actual definition. > http://web.telia.com/~u18116613/onlinesigstdprop.ppt > > >Personally I think that XMLsignatures is the key here, allowing more widespread > >implementation of digital signatures in simple web forms. > > Absolutely. > > >We don't see a lot of this yet for two reasons: (1) penetration of XML, > >and (2) more importantly, we're in a PKI lull at the moment where developers and > >architects don't see the point of doing dig sigs at all (which then > >reinforces the slow uptake of XMLsignatures). > > I cannot verify this. XML is huge. XML signatures is in good use. But it is > mostly happening on the server side as the client platform is still inferior > > <snip> > > >But why should we measure the success of PKI by the percentage of the > >general public using it? > > It is at least one way to measure. By doing that I would say that Sweden > is about FOUR MAGNITUDES more successful than the US :-) > > >By its very nature it's not a ubiquitous technology. > > I don't agree a single bit on that. PKI will long-term become > more used than passwords for on-line services. > > >A very big obstacle we all need to get over is the long > >lasting misconception that PKI would (or should be) be ubiquitous. > > Since 50% of the entire Swedish population can get a PKI cert > today, I have some problems with this statement of yours. Maybe > you refer to the universal use of a specific PKI? That's another issue > in my opinion. Which I agree on BTW. > > >We (as PKI advocates in the TC) I think should be very happy if we were to see > >PKI penetrate say 5% of the population, as long as it was the right 5%, > > We are as I told you far ahead of this goal already. With EMV cards > for payments using PKI we get some 35% penetration of a special > purpose PKI. > > >and led to major improvements in the way certain types of e-business -- > >not all e-business -- is carried out. > > IMHO all e-business can without doubt benefit from using PKI > *technology* but that involves everything from EMV payments in > a shop to server-signed B2B POs. > > What kind of e-business would not gain by using PKI technology? > > <snip> > > >But there are countless applications where signatures are most definitely > >required. In Australia, large consulting projects in a wide range of > >fields including medical prescriptions, pension funds management, and the > >real estate industry, have analysed in detail the hundreds of instances > >where the law here requires a person to sign something. Very few of these > >instances can be nicely automated online without PKI. > > I believe you are limiting the use of signatures by connecting it to law. > Digital signatures is a way to show intent. That is, you can indeed > sign up for a dentist appointment using signatures. This is already > implemented in Sweden. > > <snip> > > >These are reasons for why internet banking with PKI is difficult, but my > >point is that internet banking with PKI is not necessary. The reason is > >that internet retail banking works using the same rules as phone banking. > > Now you are into this legal business again. PKI should be > compared to long passwords and OTPs. PKI is MUCH more convenient > as well as withstands any amounts of server-break-in attempts. > Passwords and OTPs typically lock the account after a few consecutive errors. > That could cost tons of money. > > Signatures actually combine an intent (transaction request) with a > procedure and security and is IMO useful for paying simple > bills. If the signature software is appropriate that is. I do > this all the time actually... > > >It is often said that PKI is better for business banking and indeed I have > >seen reasonably good applications in treasury functions etc. This is > >because these more complicated transactions tend to need signatures (and > >because the economics can cope with relatively more expensive software > >development and support issues like smartcard reader deployment). > > I do not agree. It is volume apps that benefit from PKI. Things that > you only do occasionally you might as well do the conventional way. > But I of course again see this from a consumer perspective which is > due to the fact that in EU, PKI is mostly a consumer movement. > > >The other important point in email is that really good PKI apps do not > >involve transactions between total strangers, but instead involve parties > >which have a prior business relationship, which is readily instantiated in > >the form of a certificate issued by one of the parties to the other. For > >example, a certificate standing for someone's qualification as a patent > >lawyer, or a licenced customs broker, or a registered medical > >practitioner. The idea that you can determine a total stranger's > >trustworthiness from reading their digital certificate is not practical, > >indeed is almost fanciful. > > Violently agree! > > >Anders, I don't think implementing PKI always requires reworking all > >business processes and logic. In fact, the better PKI apps succeed by > >being overlaid on business processes without changing them. For instance, > >if a paper medical prescription process works by writ of a doctor's > >licence to practice, then it's very smooth and efficient to issue a > >digital cert to the doctor that simply represents her medical registration > >(say with the medical authority acting as RA) and to apply digital > >signatures in e-prescribing software. Usually this software is fat > >client, updated every quarter or so with a new version, and easily > >mopdified to call up some dig sig functions. > > One problem is when this e-prescription is about to be transferred to > the pharmacy because message encryption which is a necessity in > this sector is incompatible with everything else. > http://w1.181.telia.com/~u18116613/A.R.AppliedPKI-Lesson-1.pdf > > The following is a real example of e-health worth studying: > http://middleware.internet2.edu/pki05/proceedings/kailar-phinms.ppt > > If individual signatures were to be added, they should (IMO) > be stored locally together with other audit info. > > In fact, here I believe this TC is on the wrong track. But "fortunately" > this TC is in very good company, there are numerous other "PKI-TCs" > and they all refuse to acknowledge the notion that an information > system can be "authorative". We, the system architects have worked > with this "paradigm" since day #1 and see no reason to change. > On the contrary, this is a wonderful way to create a scalable PKI. > There is a reason why VeriSign have 1 billion relying parties for their > SSL CA as well as a million paying subscribers! > > Here you already have a truly ubiquitous PKI BTW. > > Cheers > Anders Rundgren -- <Put email footer here> --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]