Proposed changes to PKI Action Plan

[Steve Hanna <steve.hanna@sun.com>]

Here is a summary of changes to the PKI Action Plan
that have been suggested during the last few weeks
of confidential review. I have divided these proposed
changes into two categories:

1) those that I think may be controversial or that are
   especially substantive and should therefore be discussed
   in the PKI TC meeting on Monday

2) those that I don't think we need to discuss, since
   there is probably a consensus on them

Please bring this email to our Monday meeting so we
can discuss these changes. If you have received any
other suggestions for changes, please send them to
the PKI TC email list. Also let me know if you think
I have missed any changes sent to the PKI TC list.

I will note here again that I am concerned the PKI TC
will become overwhelmed by the volume of comments.
I expect this will be even more of a problem once we
open the document up for public review. I suggest again
that we consider creating an Action Plan editing committee
that would receive comments, evaluate them to decide
how they should be handled, and send periodic reports
to the PKI TC on what comments have been received and
how they have been handled. I will raise this as a
formal proposal at our meeting on Monday.

Thanks,

Steve

P.S. I'm a little concerned about copyright issues when
taking changes verbatim from someone's suggestion. Unless
we have explicit permission from an author to use their
wording in our Action Plan, I will reword things enough
to resolve copyright concerns. Sun Microsystems (my employer)
has agreed to donate copyright on my work on this document
to OASIS. And I'm going to considerable lengths to make
sure that I don't copy text from anywhere.

-------

Proposed Changes to be discussed:

1. From John Sabo

The comment, "Within two years, PKI deployment should be
substantially easier." may be too optimistic given harsh reality.  How
about " The PKI TC believes that a serious effort by industry
practitioners to execute the action plan will contribute to increased
usage."  --or soimething along those lines.

2. From John Sabo

In seeking comments on the action plan, I suggest abit more
specfificity  in what we are asking for with respect to comments, and
perhaps a more direct request for help in developing a  multi-facted
plan, with the TC working with other bodies, vendors, users, etc. to
achieve our goals of accelerated use of PKI. 

I suggest that we more directly seek input from a variety of
stakeholders as to the viability of the plan, the relative importance of
action steps, the resources and level of effort necessary to achieve
specific deliverables, work already underway or planned which will
address these issues, the appropriate bodies internationally that may be
best positioned to deal with specific actions, and whether (and how)
such a plan should be coordinated among stakeholders.  

I am suggesting this in part because major efforts have been undertaken
(e.g., EEMA PKI Challenge)with huge resource investments, and they have
come up with some progress, but no ultimate solution on very specific
issues.  I just think the plan suggests that the task is easily
achieved...may be read by some experienced people that we are perhaps a
bit naive regarding the complexity of the issues etc.  My suggestion
then would be to directly acknowledge the challenge and yet offer the
action plan as an effort to establish a multi-faceted and coordinated
effort.

At the ISSE2003 conference there has been lots of talk about PKI, and
how it never achieved its promise, how most of the issues aren';t
technical, etc etc...a very big context and lots of activities have been
undertaken,and yet there are large deployments coming about (e.g.,
Spanish e-Identity card)despite the obstacles --  hence my suggestions
about acknowledging such efforts, and seeking assistance in building a
industry-wide plan.

3. From HEPKI-TAG:

* There are lots of educational materials on PKI
  available now. What's wrong with them? 
* End user materials are needed.
* Managers don't understand the benefits of PKI.

4. From HEPKI-TAG:

* There's too much focus on technology. We need to
  focus on applications. Understand what people need
  and why. Then we can show how PKI (or alternatives)
  can address that.

5. From HEPKI-TAG:

* There are lots of user interface problems. Users
  should be able to control whether they encrypt
  email messages on their hard disk (which is sometimes
  undesirable).

6. From HEPKI-TAG:

* We need more training for auditors on how to audit
  lightweight and heavyweight PKI installations.

7. From HEPKI-TAG:

* Prebaked PKI configurations have been tried and
  they weren't used. Like PKI Lite.
* The reason why they haven't been used is that it's
  so hard to get lightweight CA and application software.

8. From HEPKI-TAG:

* With web-based PKI, there's no way to force the
  user to reauthenticate. That's a problem if the
  user has walked away from their desk, leaving
  their smart card or soft token activated.

9. From HEPKI-TAG:

* Are you [the PKI TC] going to act before February?

10. From HEPKI-TAG:

* Applications should use the PKI support that's built
  into the operating system. Then they'll get smart card
  support automatically.

11. From a HEPKI-TAG Member:

> Too Much Focus on Technology, Not Enough on Need [highly ranked]

Instead of "more education for management and users" (which is like
saying "You're not smart enough!") I think what you're hearing is
level-headed folks pointing out that PKI is not magic pixie dust.  I
think the appropriate response to this one is to focus on applications
and specific requirements of significant user communities.

That's what you're starting to do in terms of the focus on application
guidelines for document signing, secure email and electronic commerce,
so that's good.

> Ask Application Vendors What They Need

In concert with the comment above, I think asking *user* communities
what they need is really important.  E.g. what do they want in terms
of that nebulous "electronic commerce"?  Does that really mean "I want
to make money so I'll go where the money is - commerce?", or does it
mean something else more helpful?

E.g. what aspects of "secure email" are they really looking for?
Absence of spam?  Confidentiality?  Authentication?  Might non-PKI
methods (e.g. opportunistic encryption of smtp and/or other changes to
the email infrastructure) be more feasible?

12. From a HEPKI-TAG Member:

And on document signing, for me the biggest issue is document formats
and providing some assurance that what you signed is what you saw.
Both of these are hard in the current environment.  The most popular
"document" formats are proprietary, complex and very susceptible to
making them look one way when signed and another way when validated.
This makes interoperability pretty hard.

An update on xml-signature would be nice.  But I'm personally still a
fan of plain text signed with S/MIME or PGP until something better
comes along.

13. From Anders Rundgren:

AFAIK web-based signing in spite of being a much needed
feature for on-line activties is not even a standards task.
Every bank, e-government have therefore to deploy their
own unique or purchased signature plugin.

14. From Anders Rundgren:

I seems that the standards used for on-line certification suffer
from a real-world disconnect as well as being non-standard.
Microsoft's Xenroll is a non-portable solution.  I'm
puzzled that nobody digs into this as on-line certification
schemes are the only thing that scales.  The real-world
disconnect is that in all *real* certification schemes for
individuals the *provider* wants to control every parameter
it can.  BTW, if somebody is interested in this area I'm
interested in doing something here!

15. From Anders Rundgren:

AFAIK none of the major leading or obscure vendors
of PKI-enabled cards have donated support to Windows.

16. From FPKITWG:

In further discussion of costs, ROI was mentioned by some as
the real key to addressing costs. Others, including Michele
Rubenstein, expressed the view that someone needs to come up
with documentation on the total cost of ownership for PKI, not
just ROI. She mentioned some related work that the Directory
Forum in the Open Group is pursuing for directory. 

17. From FPKITWG:

The only real discussion of the action plan was around testing.
The PKITS and NIST Protection Profiles are familiar to this
group and will address interop issued that relate to conformance
(as well as a common set of functions for all clients). However
for non-path-validation topics there was some interest in the
Open Group taking up a role for other testing. Note that there
were some Open Group folks in the room and it was they who
expressed this interest.

Proposed Changes to be made without discussion:

1. From John Sabo:

In the introduction, para 2: "But high costs and interoperability
problems have limited the use of PKI."

I'd suggest saying "But a number of barriers, including lack of
applications, high costs, poor understanding of its benefits, and
interoperability problems have contributed to the limited use of PKI."

2. From John Sabo:

Last Paragraph, Section 2.0: I would suggest deleting the sentence,
"Membership fees are quite low, especially for individuals and
non-profit organizations."  This seems to make it more like a commercial
than an invitation.

S/MIME Cryptographic Signature