Re: [pki-guidelines] Re: Narrowing down electronic commerce

[Steve Hanna <Steve.Hanna@Sun.COM>]

If we want to confirm what the survey respondents
meant by electronic commerce (since we didn't get
much response to our efforts to contact people
directly), why not just ask? I don't really want
to base a whole survey on this one fellow's opinions
just as I wouldn't want to base a whole survey on
one of the PKI TC members' opinions.

I suggest that we create a more general web survey
asking people to describe the needs and expectations
with respect to using PKI in Electronic Commerce.
Can we break down Electronic Commerce into certain
subcategories, as we did with Document Signing last
August? Here's a first cut:

* Interactive web-based purchasing (user involved,
   usually over HTTPS)

* Other interactive web-based operations (user involved,
   usually over HTTPS)

* Secure automated exchange of RFPs, POs, and other
   business documents between previously established
   business partners (maybe using a standard protocol
   such as EDI or ebXML)

* Dynamic bidding and establishment of business
   relationships

Obviously, electronic commerce is not my thing.
I hope you can see what I'm thinking though.

Thanks,

Steve

Arshad Noor wrote:
> I have had the opprotunity to exchange an e-mail conversation with
> one member that had responded to the PKI survey last year. He has
> provided a little more detail about his expectations of PKI within
> e-commerce.
> 
> Summarizing, this is what transpired:
> 
> 1) He believes that Client-SSL authentication should be prevalent;
> 
> 2) He believes that it should be possible to digitally sign forms
>    for e-commerce transactions, and that PKI should make this easy;
> 
> 3) He believes that the infrastructure should make it possible for
>    transactions to be encrypted easily;
> 
> I think we all recognize that PKI supports all three capabilities
> today, but with the exception of #1, there is no "standard" way of
> digitally signing HTML forms, or encrypting transaction data.
> 
> There used to be some technology out of Netscape that used
> JavaScript to generate digital signatures of form data, but I'm
> not sure the capability is supported anymore.
> 
> In any case, I think, we need to validate these three requirements
> with the remainder of the respondents of the survey, and once
> validated, we need to determine next steps.
> 
> I propose a brief questionnaire along the following:
> 
> 1) What would enable you to issue digital certificates for Client
>    SSL authentication for authentication to e-commerce servers?
> 
> 2) If a framework for enabling digital signatures in HTML forms
>    were available, would you use it in your e-commerce application?
> 
> 2a) If yes, what features would you like to see in such a framework?
> 
> 2b) If not, why not?
> 
> 3) If a framework for enabling encryption of e-commerce transactions
>    were available, would you use it in your application?
> 
> 3a) If yes, what features would you like to see in such a framework?
> 
> 3b) If not, why not?
> 
> If you all approve, I think, these 7 questions should be resent to
> the initial responders of the PKI survey.  Comments?
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> 
> Steve Hanna wrote:
> 
>> Arshad,
>>
>> I think there are two separate questions here:
>>
>> 1) What did our survey respondents mean by
>>    "electronic commerce" when they rated it as
>>    the #3 most important PKI application?
>>
>>    Probably the best way to find out the answer
>>    to this question would be to ask the actual
>>    survey respondents.
>>
>> 2) What should they have meant? That is, what are
>>    the best applications of PKI in electronic
>>    commerce?
>>
>>    In answering this second question, a financial
>>    analysis of the costs and benefits of PKI in
>>    several electronic commerce scenarios might be
>>    useful.
>>
>> The Lower Costs SC has undertaken an in-depth
>> survey of PKI deployment costs. I'm somewhat
>> reluctant to duplicate this effort, especially
>> given the several other substantial projects
>> we have under way. I suggest that we set this
>> project aside until work on other PKI TC
>> Action Items is completed. However, I'm willing
>> to be convinced otherwise.
>>
>> Speaking of other PKI TC work, how is the Application
>> Guidelines SC coming along? When can we have our first
>> meeting?
>>
>> Thanks,
>>
>> Steve
>>
>> Arshad Noor wrote:
>>
>>> Krishna, thanks for your input. Please feel free to continue in this
>>> discussion, if you wish.  If not, let me know and I'll leave you out
>>> of this thread in follow-up e-mails.
>>>
>>> Steve/David, please see comments below.  I think we need to bound the
>>> e-commerce risk problem very clearly to determine if PKI has a role
>>> in it, and if so, how big a role and where.  Please let me have your
>>> feedback.
>>>
>>> Steve, if you think this needs to go to the larger TC for discussion,
>>> please go ahead and forward it.
>>>
>>> Thanks.
>>>
>>> Arshad
>>>
>>> Krishna Sankar (ksankar) wrote:
>>>
>>>> Hi,
>>>>
>>>>     Sorry for the delay in replying. I was on the road.
>>>>
>>>>     To ascertain if PKI indeed is a barrier to ecommerce or to see if
>>>> PKI can enable ecommerce, IMHO we should :
>>>>
>>>     I don't believe we need to ascertain whether PKI is a barrier or
>>>     an enabler of e-commerce.  If you look at the real world today, it
>>>     is neither.  Billions of dollars worth of goods and services are
>>>     purchased electronically on a daily basis (Server SSL certs don't
>>>     count since it hasn't stopped phishing).  As such, PKI isn't
>>>     preventing people from doing e-commerce, nor is it keeping people
>>>     on the sidelines.
>>>
>>>     What I beleive these people may have meant is that PKI can help
>>>     make e-commerce more secure, thus taking some/more of the risks out
>>>     of the equation for the players.  However the cost must be below
>>>     the level of potential damage from the risk.
>>>
>>>     To that extent, what might be a more useful questionnaire - sent
>>>     only to companies who are actively doing e-commerce today - is, the
>>>     following:
>>>
>>>     1) What is your annual revenue?
>>>     2) What percentage of this is due to e-commerce?
>>>     3) What percentage of your revenue is lost to fraud and theft?
>>>     4) What percentage of revenue lost to fraud or theft is because
>>>           of e-commerce?
>>>     5) Is there an upward, downward, flat trend to the percentage of
>>>         revenue lost due to fraud or theft?
>>>     6) How much do you spend on e-commerce infrastructure (hardware,
>>>         software, people, services)?
>>>     7) What percentage of that spend number is focused on risk
>>>         mitigation?
>>>     8) Is there an upward, downward, flat trend to the percentrage
>>>         of e-commerce infrastructure spend number that is focused
>>>         on risk mitigation?
>>>     9) What are your top three causes for fraud and theft?
>>>     10) What would you like to see by way of risk mitigation from the
>>>         technology industry?
>>>     11) Other comments that you'd like to provide:
>>>         I think that a questionnaire such as this, sent to people doing
>>>     e-commerce, will provide quantitative data that bounds the risk
>>>     of e-commerce, and may provide us telling information whether the
>>>     companies are aware/focused/worried/ignorant about these risks.
>>>
>>>     I think we need to strart looking at the problem from a higher
>>>     level, and then figure out how PKI can address these problems in
>>>     a way that other solutions cannot.  Next we need to show a cost
>>>     model for the solution that shows that it fits within the
>>>     percentage allocated for risk mitigation.
>>>
>>>     Once we've done this, I think we will have made a successful
>>>     argument for why PKI is good for e-commerce.
>>>
>>>
>>>>     a)    First find out areas of enablement and ask why and why not.
>>>> Where do folks feel PKI fits in and ask if it fulfills it's promise 
>>>>     b)    Most probably we would need to capture scenarios - touch
>>>> points of PKI in business processes     c)    We need to explore the 
>>>> establishment of trust now and see if
>>>> PKI can simplify
>>>>     d)    I think it is not the PKI but the automation of the
>>>> processes that is impeding the progress of ecommerce
>>>>     e)    We should ask vendors how are they deploying PKI now - for
>>>> what processes and to what success
>>>>     f)    Another important source are the business - what and how do
>>>> they want PKI. We need to get into companies like Ford, Boeing, GE, 
>>>> banks as
>>>> well as international companies and governments.
>>>>     g)    We also might have to separate, compare and contrast PKI the
>>>> technology and business view of PKI functionality.
>>>>     Unfortunately like everybody else I am too booked to dig deeper.
>>>> Ecommerce used to be one of my focuses not anymore.
>>>>
>>>> -k.
>>>>
>>>> -----Original Message-----
>>>> From: Steve Hanna [mailto:Steve.Hanna@Sun.COM] Sent: Monday, May 10, 
>>>> 2004 1:43 PM
>>>> To: Krishna Sankar
>>>> Subject: Narrowing down electronic commerce
>>>>
>>>> Ages ago (last October), you agreed to help the PKI TC narrow down and
>>>> better understand what our survey respondents might have meant when 
>>>> they
>>>> rated electronic commerce as the #3 most important PKI application.
>>>>
>>>> Are you still willing and able to help? If so, what approach do you
>>>> recommend?
>>>>
>>>> Thanks,
>>>>
>>>> Steve
>>>>
>>>
>

S/MIME Cryptographic Signature