[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pki-tc] PKI/e-business IETF draft co-editor
Todd – The
Government of Canada started our PKI development in 1996. Here is a link to the relevant web site
Government of
Canada PKI I don’t think
we have a “case study” type document, but you might find the information of
some value. Have a look at it, and
if you need more specific info let me know. That is
our “internal” to GoC PKI. We also
have a very large Government On-Line CA, which is part of our Secure Channel
Project. Ross Ross Smith PKI Secretariat | Secrétariat de l'ICP IT Security (ITS) |
Sécurité des TI (STI) Chief Information
Officer Branch | Direction du dirigeant principal de l'information Treasury Board of
Canada, Secretariat | Secrétariat du Conseil du Trésor du Canada Ottawa, Canada K1A 0R5 613-946-7735 | Smith.Ross@tbs-sct.gc.ca
| facsimile/télécopieur 613-996-1476 -----Original
Message----- Anders, Do you know of any good
reference material that has detailed information regarding an actual
implementation of PKI? I'm looking for something that is sort of a case study
that explains what exactly was done, why, and what did not work and why it did
not. Also, for now I'm more focused on internal PKI systems rather than
something used for e-commerce, although an internal-use system with support for
email encryption and digital signatures is of interest as well. Thanks, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message----- David, The commercial use of digital
signatures is grooving but I claim that the sector I'm most involved in,
B2B transactions, will be one of the last one to use such. Mainly due to
the almost total disconnect between PKI and business systems not only on a
technical ground (the thing the IETF draft is addressing), but basic questions
like what kind of certificates you actually need. The enclosed discussion
papers shed some light on this question. This part is by the way now
discussed in the EU and quite a number of countries now fully support the idea
of legal-entity-only signatures, in spite of not having a counter-part in the
physical world. Still, a number of people out there claim that this is
"madness". I also consider business models as
represented by Identrus et al (relying-party-paid) as a sure way to make B2B
stay away from using PKI or rather use their own PKI in a hub-and-spokes way
(the big party issues certificates for their smaller customers/suppliers to
use) which does not scale very well. As Bill Gates wrote already 1995:
There should be no markup on (non-payment) business transactions over the
Internet, just inexpensive software. But banks, who have strong
aspirations in the CA segment, have a long frustrating journey ahead of them,
before they finally will realize that identification is not yet another payment
system. Trust and identity, in contrast to payments, can be
"settled" between two parties on their own, which makes the
difference. To my knowledge not a single of the
numerous e-invoice projects run by banks over the world use PKI. My guess
is that PKI is rightfully experienced as too messy. Without working
TTPs having reasonable offerings, shared secrets seem much simpler to deploy
as such can be communicated in simple ways including verbally. PKI
is technically redundant unless you achieve a peer-to-peer based operation
which is currently virtually non-existent for other reasons as well. The only working PKI markets I know of is
Web server certificates by VeriSign et al and local PKIs supporting
e-Governments. For individuals, the fact that the smart
card industry have not after 10 years or so managed to come up with a standard
PKI card and built-in support in major OSes, still makes PKI
"non-standard" in the eyes of IS-managers. To store
certificates on the hard disk is not an alternative in a corporate environment. BTW, I hope that the PKI-TC will address
some or all of the issues raised here. Anders -----
Original Message -----
To: Anders
Rundgren ; pki-tc@lists.oasis-open.org Sent: Thursday, February 27,
2003 22:00 Subject: Re:
[pki-tc] PKI/e-business IETF draft co-editor The
lack of commercial usage of digital signature technology is about to change. David
Sweigert, CISSP -----
Original Message -----
To: pki-tc@lists.oasis-open.org
Sent: Thursday, February 27,
2003 1:17 PM Subject: Re:
[pki-tc] PKI/e-business IETF draft co-editor David, If you
take a look on the link I supplied it
should give some indications of one area that I feel does not work to well. A
powerpoint is also available: http://www.x-obi.com/OBI400/PnPPKI4WS.ppt I.e. it
is really Web Services that are addressed as this is what most people believe
is where both PKI and e-business will be in a relatively short period.
Below is an extract from another posting highlighting some basic problems that
the work is supposed to address: First
it is important to note that digital signatures are virtually non-existent
in B2B so what follows here is "theory". Digital
signatures have a major problem which did not exist in the
paper-world. A signature on paper is a technically imprecise
way of giving "authenticy" to a document. A digital
signature on the other hand identifies the signer in a technically very
strong way. Now, lets say that you have an invoice from
ACME Corp (using any of the rather arbitrary ways to identify this), what is
the stronger part of the identity (i.e. the certificate) supposed to
contain? And even worse, if you use personal signatures what should these
contain? John Doe at ACME Corp? Are business systems supposed to
cross-check between the claimed identity in the business document and the
certificate? I believe so, but here there is mostly zero interoperability
and hardly any normative documents to find. Consortiums like ebXML don't
touch such issues and PKI folks typically shun business systems like the
plague. In case anybody of this list is interested in this area (maybe
even co-authoring), I'm currently toiling with an IETF draft (enclosed), trying
to "marry" PKI and business systems. It is worth noting that
the e-Government in Sweden have (in their actual systems), not yet
addressed the idea that a citizen of an other EU-country would use their
certificate, which by the way is rather hard as there is no universal way to
express personal identities either. The qualified certificate
standard does not require globally unique identities so you could even end-up
with name conflicts! PKI is unfortunately an immature technology
originally designed for sending e-mail between individuals which is rather
different to sending messages between or to "machines" as the latter
only "compute" which is not equivalent to humans' "understand". Best Anders
R -----
Original Message ----- From:
"David Sweigert" <dgsweigert@airbridge.net> To:
"Anders Rundgren" <anders.rundgren@telia.com>; <pki-tc@lists.oasis-open.org> Sent:
Thursday, February 27, 2003 17:08 Subject:
Re: [pki-tc] PKI/e-business IETF draft co-editor A short
note: |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]