A NIST vision of PKI and e-Purchasing

Although this document is about digital signature formats, it does also as one of the examples, actually depict an e-purchasing scenario. Due to the latter, it should be reasonably fair to characterize this as a "vision" for how such procedures should be carried out according to NIST.

This well-written document faithfully reflects a cryptographer's view of the world. Cryptographers like to remap the physical world consisting of paper documents and wet signatures, into electronic documents and digital signatures. This notion is also highly appreciated by lawyers.

However, there is a fly in the soup; one-to-one mapping of paper-based processes into IT, seldom utilizes the power of IT to its fullest, and sometimes even lead to combining the inherent weaknesses of both worlds. e-purchasing is an example where most implementations have taken on server-centric, workflow approaches, eliminating the concept of a more or less tangible end-user document. Users of such systems rather deal with dynamically created "views" of transactions and transaction requests.

This difference is not only on the surface, it affects the process as well. In the NIST document, the purchasing manager "corrects" a quantity in the order request document itself which mirrors one common paper-world method of handling deviations. But in most e-purchasing systems, an order workflow does not terminate until an order request is 100% correct (=agreed upon by all parties involved), or is dismissed. Applied to the NIST example, if the purchasing manager disapproves a request, he or she simply adds a comment to the order request and sets status to "disapproved". After this operation, the original requester will be notified (by the purchasing system), and may change the request in the way he or she feels most suitable. The latter may not necessary just be about reducing the quantity, it could be as drastic as looking for another solution or scrapping the purchase altogether. After the changes have been performed, the order request must of course be resubmitted for approval. A requester though never has to check with his or her manager if an order request has been approved or not, since the status of a certain task is available for all authorized users to view anytime. This is one of the many advantages of moving processes from the paper-world's out- and inboxes to centralized work-flow servers.

What is notably absent from the NIST document, is the final step where the purchase order is delivered to the supplier. Since the de-facto standard since decades back is that electronic purchase orders are sent in "data-only" formats like EDI and XML without any kind of user-oriented formatting, the NIST vision would effectively require a total rewrite of the e-purchasing universe in order to be realized.

For those who have not digged deep into this matter, the above may seem pretty independent of PKI. But if you ever do this research you will find that these issues have major impact on every aspect of the PKI ecosystem, from the "fatness" of the PKI client software, to the need for "pass-through" cryptography in information systems, and last but not least; to which entity is holding the "ultimate private key", used for signing outgoing purchase orders.

A question arises: Is this unique for e-purchasing? IMHO it is not, e-purchasing schemes can with minor changes, perfectly well be mapped to numerous other e-government processes involving multiple individuals and/or agencies. The other example mentioned in the referred NIST document, review of an individual, would be easy to support in a similar type of transaction-server-centric workflow system.

egov message