[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pki-tc] digital signatures for OASIS standards
Mary, A few answers follow. Note that some are the "Reader's Digest" condensed version... A) Build or rent - OASIS could build its own but that would be too expensive and is probably way outside of its core competencies. The most pragmatic and economical approach is to subscribe a Certificate Authority (CA) service provider. There are many CA providers that have service offerings including VeriSign, Entrust, Equifax, Cybertrust, Valicert and Thawte. B) Yes. Cost varies depending on the type of service you're seeking. Generally cost is based upon volume of certificates to be issued, how "strong" you need the certificates to be, tools or support applications you'll need and liability issues. C) OASIS first needs to determine the strength of certificates needed in order to establish identity proofing requirements and processes. Usually the processes feature a person or group appointed within the organization that serves as a registrar (the formal name is Registration Authority or RA). The RA will perform identity proofing of those seeking to obtain a certificate (based on procedures required by the CA) and, if valid, submit a certificate request to the CA. The CA will issue a certificate to the applicant. D) The certificates are linked to a key-pair submitted by the applicant as part of the registration process. Keys are strings of intermixed letters and numbers - one key is kept by the applicant (called a private key) and the other submitted during application, called the public key (that's the "P" and "K" of PKI if you didn't know). It's the keys that do the work. They are used in cryptographic functions to "sign" and/or encrypt documents. A certificate holder can "sign" a document or message with their private key that someone else can later verify by getting the public key from the CA (usually at no cost to them). A verified signature provides a level of proof of who signed the document and additionally establishes that the document has not changed since it was "signed". The level of proof is related to how strong the certificate is. There are a lot of technical fine points to all of this, but I won't get into them so I can keep this short. Signing "official" OASIS standards or publications or voting for steering committee members are a couple of examples of how OASIS might use PKI. E) The certificate (keys) are document-type agnostic, they only need to be digital. An organization might want to have different kinds of certificates, though. There can be different certificates to support discreet functions; signing, encryption and authentication. One certificate can be used for all functions but that may not be advisable depending on business needs. Also, some applications may need an add-on program to perform the functions but the CA service providers may offer those programs as part of the offering you might buy. F) You asked a pretty good set of questions. You may have others after you've read the answers. I'm sure whatever they might be, anyone in the TC will be able help. The question I always ask of any organization contemplating the use of PKI is "What do you want to use it for?" The answers should be related to a business value that might be improved. Too often companies just want the technology - those cases seldom have happy results. I hope these answers are useful and not too ponderous. Someone may jump all over them because they are not technically spot-on or not detailed enough. My attempt was to give you a sense of what PKI is about. Paul -----Original Message----- From: Mary McRae [mailto:mary.mcrae@oasis-open.org] Sent: Monday, January 16, 2006 11:09 AM To: pki-tc@lists.oasis-open.org Subject: [pki-tc] digital signatures for OASIS standards Hi folks, About a month or so ago, Arshad suggested that OASIS establish a PKI and issue chairs digital certificates. Can you enlighten me on what it would take to implement such a proposal? a) how do we obtain a PKI? b) is there a cost associated? c) how do we create digital certificates? d) how are they applied to documents? e) would you need a different certificate for each type of document? (pdf, odf, doc, etc.)? f) any other questions that I haven't thought of? Thanks; staff is very interested in this proposal. Regards, Mary --------------------------------------------------- Mary P McRae OASIS Manager of TC Administration email: mary.mcrae@oasis-open.org web: www.oasis-open.org phone: 603.232.9090 cell: 603.557.7985 OASIS Symposium: The Meaning of Interoperability, 9-12 May, San Francisco http://www.oasis-open.org/events/symposium_2006/ -----Original Message----- From: Arshad Noor [mailto:arshad.noor@strongauth.com] Sent: Thursday, December 15, 2005 2:39 PM To: PKI TC Subject: [pki-tc] OpenDoc and OASIS PKI I just realized that as Chair of the Application Guidelines subcommitee, it becomes my responsibility to encourage movements towards the use of applications that use PKI effectively. ... As such, I believe OASIS should establish a PKI for its use and issue all Chairs digital certificates for signing official documents within its archives. The mechanics can be worked out once the principle is decided by vote by the TC. Arshad Noor StrongAuth, Inc. --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]