OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-guidelines message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pki-guidelines] Re: Narrowing down electronic commerce

Yes, I can see where you're going with this, Steve.

Maybe the approach we should take is to state the three
broad capabilities of PKI - strong authentication, digital
signatures and encryption - with their benefits, and ask
people how they'd apply it within their e-commerce
applications in their industry, and what would encourage
them to do so?


Steve Hanna wrote:
> If we want to confirm what the survey respondents
> meant by electronic commerce (since we didn't get
> much response to our efforts to contact people
> directly), why not just ask? I don't really want
> to base a whole survey on this one fellow's opinions
> just as I wouldn't want to base a whole survey on
> one of the PKI TC members' opinions.
> I suggest that we create a more general web survey
> asking people to describe the needs and expectations
> with respect to using PKI in Electronic Commerce.
> Can we break down Electronic Commerce into certain
> subcategories, as we did with Document Signing last
> August? Here's a first cut:
> * Interactive web-based purchasing (user involved,
>   usually over HTTPS)
> * Other interactive web-based operations (user involved,
>   usually over HTTPS)
> * Secure automated exchange of RFPs, POs, and other
>   business documents between previously established
>   business partners (maybe using a standard protocol
>   such as EDI or ebXML)
> * Dynamic bidding and establishment of business
>   relationships
> Obviously, electronic commerce is not my thing.
> I hope you can see what I'm thinking though.
> Thanks,
> Steve
> Arshad Noor wrote:
>> I have had the opprotunity to exchange an e-mail conversation with
>> one member that had responded to the PKI survey last year. He has
>> provided a little more detail about his expectations of PKI within
>> e-commerce.
>> Summarizing, this is what transpired:
>> 1) He believes that Client-SSL authentication should be prevalent;
>> 2) He believes that it should be possible to digitally sign forms
>>    for e-commerce transactions, and that PKI should make this easy;
>> 3) He believes that the infrastructure should make it possible for
>>    transactions to be encrypted easily;
>> I think we all recognize that PKI supports all three capabilities
>> today, but with the exception of #1, there is no "standard" way of
>> digitally signing HTML forms, or encrypting transaction data.
>> There used to be some technology out of Netscape that used
>> JavaScript to generate digital signatures of form data, but I'm
>> not sure the capability is supported anymore.
>> In any case, I think, we need to validate these three requirements
>> with the remainder of the respondents of the survey, and once
>> validated, we need to determine next steps.
>> I propose a brief questionnaire along the following:
>> 1) What would enable you to issue digital certificates for Client
>>    SSL authentication for authentication to e-commerce servers?
>> 2) If a framework for enabling digital signatures in HTML forms
>>    were available, would you use it in your e-commerce application?
>> 2a) If yes, what features would you like to see in such a framework?
>> 2b) If not, why not?
>> 3) If a framework for enabling encryption of e-commerce transactions
>>    were available, would you use it in your application?
>> 3a) If yes, what features would you like to see in such a framework?
>> 3b) If not, why not?
>> If you all approve, I think, these 7 questions should be resent to
>> the initial responders of the PKI survey.  Comments?
>> Arshad Noor
>> StrongAuth, Inc.
>> Steve Hanna wrote:
>>> Arshad,
>>> I think there are two separate questions here:
>>> 1) What did our survey respondents mean by
>>>    "electronic commerce" when they rated it as
>>>    the #3 most important PKI application?
>>>    Probably the best way to find out the answer
>>>    to this question would be to ask the actual
>>>    survey respondents.
>>> 2) What should they have meant? That is, what are
>>>    the best applications of PKI in electronic
>>>    commerce?
>>>    In answering this second question, a financial
>>>    analysis of the costs and benefits of PKI in
>>>    several electronic commerce scenarios might be
>>>    useful.
>>> The Lower Costs SC has undertaken an in-depth
>>> survey of PKI deployment costs. I'm somewhat
>>> reluctant to duplicate this effort, especially
>>> given the several other substantial projects
>>> we have under way. I suggest that we set this
>>> project aside until work on other PKI TC
>>> Action Items is completed. However, I'm willing
>>> to be convinced otherwise.
>>> Speaking of other PKI TC work, how is the Application
>>> Guidelines SC coming along? When can we have our first
>>> meeting?
>>> Thanks,
>>> Steve
>>> Arshad Noor wrote:
>>>> Krishna, thanks for your input. Please feel free to continue in this
>>>> discussion, if you wish.  If not, let me know and I'll leave you out
>>>> of this thread in follow-up e-mails.
>>>> Steve/David, please see comments below.  I think we need to bound the
>>>> e-commerce risk problem very clearly to determine if PKI has a role
>>>> in it, and if so, how big a role and where.  Please let me have your
>>>> feedback.
>>>> Steve, if you think this needs to go to the larger TC for discussion,
>>>> please go ahead and forward it.
>>>> Thanks.
>>>> Arshad
>>>> Krishna Sankar (ksankar) wrote:
>>>>> Hi,
>>>>>     Sorry for the delay in replying. I was on the road.
>>>>>     To ascertain if PKI indeed is a barrier to ecommerce or to see if
>>>>> PKI can enable ecommerce, IMHO we should :
>>>>     I don't believe we need to ascertain whether PKI is a barrier or
>>>>     an enabler of e-commerce.  If you look at the real world today, it
>>>>     is neither.  Billions of dollars worth of goods and services are
>>>>     purchased electronically on a daily basis (Server SSL certs don't
>>>>     count since it hasn't stopped phishing).  As such, PKI isn't
>>>>     preventing people from doing e-commerce, nor is it keeping people
>>>>     on the sidelines.
>>>>     What I beleive these people may have meant is that PKI can help
>>>>     make e-commerce more secure, thus taking some/more of the risks out
>>>>     of the equation for the players.  However the cost must be below
>>>>     the level of potential damage from the risk.
>>>>     To that extent, what might be a more useful questionnaire - sent
>>>>     only to companies who are actively doing e-commerce today - is, the
>>>>     following:
>>>>     1) What is your annual revenue?
>>>>     2) What percentage of this is due to e-commerce?
>>>>     3) What percentage of your revenue is lost to fraud and theft?
>>>>     4) What percentage of revenue lost to fraud or theft is because
>>>>           of e-commerce?
>>>>     5) Is there an upward, downward, flat trend to the percentage of
>>>>         revenue lost due to fraud or theft?
>>>>     6) How much do you spend on e-commerce infrastructure (hardware,
>>>>         software, people, services)?
>>>>     7) What percentage of that spend number is focused on risk
>>>>         mitigation?
>>>>     8) Is there an upward, downward, flat trend to the percentrage
>>>>         of e-commerce infrastructure spend number that is focused
>>>>         on risk mitigation?
>>>>     9) What are your top three causes for fraud and theft?
>>>>     10) What would you like to see by way of risk mitigation from the
>>>>         technology industry?
>>>>     11) Other comments that you'd like to provide:
>>>>         I think that a questionnaire such as this, sent to people doing
>>>>     e-commerce, will provide quantitative data that bounds the risk
>>>>     of e-commerce, and may provide us telling information whether the
>>>>     companies are aware/focused/worried/ignorant about these risks.
>>>>     I think we need to strart looking at the problem from a higher
>>>>     level, and then figure out how PKI can address these problems in
>>>>     a way that other solutions cannot.  Next we need to show a cost
>>>>     model for the solution that shows that it fits within the
>>>>     percentage allocated for risk mitigation.
>>>>     Once we've done this, I think we will have made a successful
>>>>     argument for why PKI is good for e-commerce.
>>>>>     a)    First find out areas of enablement and ask why and why not.
>>>>> Where do folks feel PKI fits in and ask if it fulfills it's promise 
>>>>>     b)    Most probably we would need to capture scenarios - touch
>>>>> points of PKI in business processes     c)    We need to explore 
>>>>> the establishment of trust now and see if
>>>>> PKI can simplify
>>>>>     d)    I think it is not the PKI but the automation of the
>>>>> processes that is impeding the progress of ecommerce
>>>>>     e)    We should ask vendors how are they deploying PKI now - for
>>>>> what processes and to what success
>>>>>     f)    Another important source are the business - what and how do
>>>>> they want PKI. We need to get into companies like Ford, Boeing, GE, 
>>>>> banks as
>>>>> well as international companies and governments.
>>>>>     g)    We also might have to separate, compare and contrast PKI the
>>>>> technology and business view of PKI functionality.
>>>>>     Unfortunately like everybody else I am too booked to dig deeper.
>>>>> Ecommerce used to be one of my focuses not anymore.
>>>>> -k.
>>>>> -----Original Message-----
>>>>> From: Steve Hanna [mailto:Steve.Hanna@Sun.COM] Sent: Monday, May 
>>>>> 10, 2004 1:43 PM
>>>>> To: Krishna Sankar
>>>>> Subject: Narrowing down electronic commerce
>>>>> Ages ago (last October), you agreed to help the PKI TC narrow down and
>>>>> better understand what our survey respondents might have meant when 
>>>>> they
>>>>> rated electronic commerce as the #3 most important PKI application.
>>>>> Are you still willing and able to help? If so, what approach do you
>>>>> recommend?
>>>>> Thanks,
>>>>> Steve

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]