[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: A NIST vision of PKI and e-Purchasing
Although this document is about digital signature
formats, it does also as one of the examples, actually depict an
e-purchasing scenario. Due to the latter, it should be reasonably
fair to characterize this as a "vision" for how such procedures should be
carried out according to NIST.
To my knowledge, this is currently the only document published by a US government body, describing the application of PKI to a multi-party business process. This well-written document faithfully reflects a
cryptographer's view of the world. Cryptographers like to remap the
physical world consisting of paper documents and wet signatures, into
electronic documents and digital signatures. This notion is also highly
appreciated by lawyers.
However, there is a fly in the soup; one-to-one
mapping of paper-based processes into IT, seldom utilizes the power of
IT to its fullest, and sometimes even lead to combining the inherent
weaknesses of both worlds. e-purchasing is an example where
most implementations have taken on server-centric, workflow
approaches, eliminating the concept of a more or less tangible end-user
document. Users of such systems rather deal with dynamically
created "views" of transactions and transaction requests.
This difference is not only on the surface,
it affects the process as well. In the NIST document, the
purchasing manager "corrects" a quantity in the order request
document itself which mirrors one common paper-world method of
handling deviations. But in most e-purchasing systems, an order workflow
does not terminate until an order request is 100% correct (=agreed
upon by all parties involved), or is dismissed. Applied to the NIST
example, if the purchasing manager disapproves a request, he or she simply
adds a comment to the order request and sets status to "disapproved".
After this operation, the original requester will be notified (by the
purchasing system), and may change the request in the way he or
she feels most suitable. The latter may not necessary just
be about reducing the quantity, it could be as drastic as looking for another
solution or scrapping the purchase altogether. After the changes have
been performed, the order request must of course be resubmitted for
approval. A requester though never has to check with his or her
manager if an order request has been approved or not, since the
status of a certain task is available for all authorized users to view
anytime. This is one of the many advantages of moving
processes from the paper-world's out- and inboxes to centralized work-flow
servers.
What is notably absent from the NIST document, is the final step where the purchase order is delivered to the supplier. Since the de-facto standard since decades back is that electronic purchase orders are sent in "data-only" formats like EDI and XML without any kind of user-oriented formatting, the NIST vision would effectively require a total rewrite of the e-purchasing universe in order to be realized. For those who have not digged deep into this
matter, the above may seem pretty independent of PKI. But if you
ever do this research you will find that these issues have major
impact on every aspect of the PKI ecosystem, from the "fatness" of the
PKI client software, to the need for "pass-through" cryptography in
information systems, and last but not least; to which entity is
holding the "ultimate private key", used for signing outgoing purchase
orders.
A question arises: Is this unique for
e-purchasing? IMHO it is not, e-purchasing schemes can with minor changes,
perfectly well be mapped to numerous other e-government processes involving
multiple individuals and/or agencies. The other example mentioned in the
referred NIST document, review of an individual, would be easy to support in a
similar type of transaction-server-centric workflow system.
Anders Rundgren
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]