OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-education message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Follow up documents from Stephen Wilson

Title: Follow up documents from Stephen Wilson

-----Original Message-----
From: Stephen Wilson [mailto:swilson@lockstep.com.au]
Sent: Thursday, April 29, 2004 3:03 PM
To: June Leung
Cc: 'pki-education@lists.oasis-open.org'
Subject: re:Reminder - Conference call tomorrow - April 29/04 at 2pm EST

Dear All

Here's some links and materials.  I haven't found links as yet for some of
the materials but I am sure I can exert some influence to get them online,
or otherwise released for re-distribution bu Oasis.

A comment regarding the categories.  Some interesting material falls more
in the area of public policy and/or governance than any of the four
categories in the action plan.  I wonder if in future we should introduce
a governance category?  Or is it OK to view governance issues under the
category of Benefits/Value?

Also, someone on the call today mentioned Peter Gutman.  He is a notable
New Zealand based academic who maintains a very good link farm.  But
please be aware that Dr Gutman is an energetic campaigner against PKI.  In
my view, much of his analysis of PKI is dated, narrow and biased, and does
little to advance the PKI debate.

Category Applicability:

"Position Statement on PKI of the Australian Security Industry"
By the Australian IT Security Forum, white paper Nov 2003
See www.aitsf.aeema.asn.au/resources/doc/documents_10.pdf

See extract below on characteristics of good PKI applications.  The paper
mentions the American Express Blue Card which I think hasn't actually
turned on all of its PKI functions as yet.  Some of you folks in the US
might know more details, or could research them.  I believe the Amex Blue
offers wonderful insights into embedded PKI.

Category Benefits/Value:

"PKI lessons from Australia"
By the Australian IT Security Forum
Slide presentation to the Global eBusiness Forum
Geneva Switzerland 9 December 2003
See attached file, not available online as yet. 

The slides include brief case studies from Taxation and Health in
Australia and a few other projects around the region, in HK and New
Zealand.  I can get more expanded details and links in the next two weeks.

Category All:
Hong Kong PKI Forum International Conference 2003
The Usage of PKI in e-Business
15 - 16 September 2003
Most papers available at http://www.hkpkiforum.org.hk/resources.htm

Good international conference with lots of case studies.  In particular: 

Bank of East Asia: PKI in net banking

HK Post: the national smart ID card (though in my personal opinion the PKI
applications leveraging this smartcard to date have been over-hyped, but I
think the platform is brilliant and will attract better applications in
the near future)

Baltimore Technologies presented a lot of European case study material


Steve Wilson.

Stephen Wilson
Lockstep Consulting
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046

P +61 (0)414 488 851



Good applications for PKI

Reviewing the ... basic benefits of digital signatures helps us to tell
which types of e-business applications should be implemented with PKI.
Good applications for PKI have the following features:
 • Relatively high transaction volume
 • Fully automatic processing (or “straight-through” processing)
 • Multiple receivers
 • Significant risk of dispute or need to “re-wind”
 • Requirement to retain quality electronic evidence over long periods of

A case study in application-specific digital certificates

If digital certificates are constrained to specific applications, then
they are much simpler to implement than first generation general purpose
PKI. Consider the American Express Blue credit card, a new PKI-enabled
smartcard. When you sign up for an American Express Blue card, you agree
to regular credit card terms and conditions. That is, you agree to keep
your PIN secret, not let anyone else use your card, report its loss, and
so on. You are not required to read a CPS; you are not required to
undertake intensive technical training. The American Express Blue card PKI
is completely embedded, so card holders don’t even know it is there.

We call this an example of “scheme based” PKI. It is much simpler than
first generation general purpose PKI, in terms of ease of use,
registration, regulation and legal liability. This simplification is
possible because the American Express Blue digital certificate is tightly
constrained. It cannot be used to sign or encrypt generic e-mails, nor to
authenticate ordinary SSL connections. In future, only software
applications approved by American Express will be able to access the PKI
functions embedded in the Blue card. American Express will closely
regulate all applications which use its smartcard.

A new interpretation of what digital certificates mean

This experience lets us interpret the meaning of digital certificates in a
powerful new way. First generation digital certificates represented
personal identity. Now, application-specific digital certificates can
represent membership of some defined community, for example a credit card
scheme, a professional association, an employer, a government agency, a
board of directors, and so on. Each community will have an associated set
of e-business applications, with their own special terms & conditions.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]