Re: [egov] Brief report: G2G PKI in the Nordic Region

["David RR Webber" <david@drrw.info>]

Anders,

I believe also that local federated services will become important
here.  There are too many issues with centralized registries for
broad G and C use carte blanche.   This is also a sector
I envision banks and such getting into - providing
authentication services for their customers in a trusted
federated commercial transaction network.  Essentially
smartcards and CCrds are already in this
arena, and of course PDA and mobiles are next!

Citizens certainly need free choice in who they designate
as their authentication service.  Governments and large
enterprises will of course continue to manage their own
services however.

It's good to see people at least beginning to tackle these
issues.

As we continue the work on EPR - authentication
services and digital bags are obviously a vital part
of the coming mobile computing revolution.

Thanks, DW


----- Original Message ----- 
From: "Anders Rundgren" <anders.rundgren@telia.com>
To: <egov@lists.oasis-open.org>
Sent: Saturday, July 17, 2004 4:15 PM
Subject: [egov] Brief report: G2G PKI in the Nordic Region


> Maybe the following information regarding the current developments
> in the Nordic region could be of  some interest?
>
> Each of the Nordic countries' governments have more or less on
> their own, come to the conclusion that inter-authority (G2G) as well
> as future government-to-business (G2B) messaging should for numerous
> reasons be based on domain-based security which is similar to firewall
> deployment.  By doing that governments maintain message integrity,
> confidentiality and strong authentication (sometimes referred to as non-
> repudiation), without taking on a full-scale PKI project between the
> different authorities (internally, each authority is usually free to
deploy
> client security solutions in their own pace, fitting their budgets and
needs).
>
> Effectively each outgoing message is secured by a _single_ certificate,
> identifying only the authority with the aid of a registered organization-
> unique number and a common name.  Such certificates are issued by
> specifically designated TTPs.
>
> The most recent development is to extend this concept to also
> support country-to-country messaging!
>
> Due to the very few CAs involved (one ot two in each country),
> and the simple, uniform and flat PKI structure, there is no need
> for any cross-certification or brídge CAs, in spite of the fact that
> such a network will eventually support millions of public sector
> employees, spread over several thousands of different authorities
> and communes, distributed over at least four countries.
>
> The following paper which was submitted to PKI Workshop 2003
> http://w1.181.telia.com/~u18116613/pki4org.pdf
> describes the principles and motives behind this scheme.
>
> These PKI developments are also closely aligned with current LDAP
> usage, here citing Verisign's Phillip Hallam-Baker:
>
>        "Paradoxically it is the value of  the directory as the
>          central hub of the enterprise information
>          infrastructure that constrains its use"
>
> On the next IETF meeting it has been said that there will be a
> Gateway Signing BOF.  Although I don't plan to attend, I have
> a feeling that this could be interesting as the scope of these
> concepts also apply to spam filtering because if an entire domain
> is recognized by a signature, ISPs will be much more cautious
> regarding spamming customers.
>
> Best Regards
> Anders Rundgren
> Consultant, e-infrastructure
>
>
> To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/egov/members/leave_workgroup.php.
>
>