[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pki-guidelines] Re: Narrowing down electronic commerce
Yes, I can see where you're going with this, Steve. Maybe the approach we should take is to state the three broad capabilities of PKI - strong authentication, digital signatures and encryption - with their benefits, and ask people how they'd apply it within their e-commerce applications in their industry, and what would encourage them to do so? Arshad Steve Hanna wrote: > If we want to confirm what the survey respondents > meant by electronic commerce (since we didn't get > much response to our efforts to contact people > directly), why not just ask? I don't really want > to base a whole survey on this one fellow's opinions > just as I wouldn't want to base a whole survey on > one of the PKI TC members' opinions. > > I suggest that we create a more general web survey > asking people to describe the needs and expectations > with respect to using PKI in Electronic Commerce. > Can we break down Electronic Commerce into certain > subcategories, as we did with Document Signing last > August? Here's a first cut: > > * Interactive web-based purchasing (user involved, > usually over HTTPS) > > * Other interactive web-based operations (user involved, > usually over HTTPS) > > * Secure automated exchange of RFPs, POs, and other > business documents between previously established > business partners (maybe using a standard protocol > such as EDI or ebXML) > > * Dynamic bidding and establishment of business > relationships > > Obviously, electronic commerce is not my thing. > I hope you can see what I'm thinking though. > > Thanks, > > Steve > > Arshad Noor wrote: > >> I have had the opprotunity to exchange an e-mail conversation with >> one member that had responded to the PKI survey last year. He has >> provided a little more detail about his expectations of PKI within >> e-commerce. >> >> Summarizing, this is what transpired: >> >> 1) He believes that Client-SSL authentication should be prevalent; >> >> 2) He believes that it should be possible to digitally sign forms >> for e-commerce transactions, and that PKI should make this easy; >> >> 3) He believes that the infrastructure should make it possible for >> transactions to be encrypted easily; >> >> I think we all recognize that PKI supports all three capabilities >> today, but with the exception of #1, there is no "standard" way of >> digitally signing HTML forms, or encrypting transaction data. >> >> There used to be some technology out of Netscape that used >> JavaScript to generate digital signatures of form data, but I'm >> not sure the capability is supported anymore. >> >> In any case, I think, we need to validate these three requirements >> with the remainder of the respondents of the survey, and once >> validated, we need to determine next steps. >> >> I propose a brief questionnaire along the following: >> >> 1) What would enable you to issue digital certificates for Client >> SSL authentication for authentication to e-commerce servers? >> >> 2) If a framework for enabling digital signatures in HTML forms >> were available, would you use it in your e-commerce application? >> >> 2a) If yes, what features would you like to see in such a framework? >> >> 2b) If not, why not? >> >> 3) If a framework for enabling encryption of e-commerce transactions >> were available, would you use it in your application? >> >> 3a) If yes, what features would you like to see in such a framework? >> >> 3b) If not, why not? >> >> If you all approve, I think, these 7 questions should be resent to >> the initial responders of the PKI survey. Comments? >> >> Arshad Noor >> StrongAuth, Inc. >> >> >> Steve Hanna wrote: >> >>> Arshad, >>> >>> I think there are two separate questions here: >>> >>> 1) What did our survey respondents mean by >>> "electronic commerce" when they rated it as >>> the #3 most important PKI application? >>> >>> Probably the best way to find out the answer >>> to this question would be to ask the actual >>> survey respondents. >>> >>> 2) What should they have meant? That is, what are >>> the best applications of PKI in electronic >>> commerce? >>> >>> In answering this second question, a financial >>> analysis of the costs and benefits of PKI in >>> several electronic commerce scenarios might be >>> useful. >>> >>> The Lower Costs SC has undertaken an in-depth >>> survey of PKI deployment costs. I'm somewhat >>> reluctant to duplicate this effort, especially >>> given the several other substantial projects >>> we have under way. I suggest that we set this >>> project aside until work on other PKI TC >>> Action Items is completed. However, I'm willing >>> to be convinced otherwise. >>> >>> Speaking of other PKI TC work, how is the Application >>> Guidelines SC coming along? When can we have our first >>> meeting? >>> >>> Thanks, >>> >>> Steve >>> >>> Arshad Noor wrote: >>> >>>> Krishna, thanks for your input. Please feel free to continue in this >>>> discussion, if you wish. If not, let me know and I'll leave you out >>>> of this thread in follow-up e-mails. >>>> >>>> Steve/David, please see comments below. I think we need to bound the >>>> e-commerce risk problem very clearly to determine if PKI has a role >>>> in it, and if so, how big a role and where. Please let me have your >>>> feedback. >>>> >>>> Steve, if you think this needs to go to the larger TC for discussion, >>>> please go ahead and forward it. >>>> >>>> Thanks. >>>> >>>> Arshad >>>> >>>> Krishna Sankar (ksankar) wrote: >>>> >>>>> Hi, >>>>> >>>>> Sorry for the delay in replying. I was on the road. >>>>> >>>>> To ascertain if PKI indeed is a barrier to ecommerce or to see if >>>>> PKI can enable ecommerce, IMHO we should : >>>>> >>>> I don't believe we need to ascertain whether PKI is a barrier or >>>> an enabler of e-commerce. If you look at the real world today, it >>>> is neither. Billions of dollars worth of goods and services are >>>> purchased electronically on a daily basis (Server SSL certs don't >>>> count since it hasn't stopped phishing). As such, PKI isn't >>>> preventing people from doing e-commerce, nor is it keeping people >>>> on the sidelines. >>>> >>>> What I beleive these people may have meant is that PKI can help >>>> make e-commerce more secure, thus taking some/more of the risks out >>>> of the equation for the players. However the cost must be below >>>> the level of potential damage from the risk. >>>> >>>> To that extent, what might be a more useful questionnaire - sent >>>> only to companies who are actively doing e-commerce today - is, the >>>> following: >>>> >>>> 1) What is your annual revenue? >>>> 2) What percentage of this is due to e-commerce? >>>> 3) What percentage of your revenue is lost to fraud and theft? >>>> 4) What percentage of revenue lost to fraud or theft is because >>>> of e-commerce? >>>> 5) Is there an upward, downward, flat trend to the percentage of >>>> revenue lost due to fraud or theft? >>>> 6) How much do you spend on e-commerce infrastructure (hardware, >>>> software, people, services)? >>>> 7) What percentage of that spend number is focused on risk >>>> mitigation? >>>> 8) Is there an upward, downward, flat trend to the percentrage >>>> of e-commerce infrastructure spend number that is focused >>>> on risk mitigation? >>>> 9) What are your top three causes for fraud and theft? >>>> 10) What would you like to see by way of risk mitigation from the >>>> technology industry? >>>> 11) Other comments that you'd like to provide: >>>> I think that a questionnaire such as this, sent to people doing >>>> e-commerce, will provide quantitative data that bounds the risk >>>> of e-commerce, and may provide us telling information whether the >>>> companies are aware/focused/worried/ignorant about these risks. >>>> >>>> I think we need to strart looking at the problem from a higher >>>> level, and then figure out how PKI can address these problems in >>>> a way that other solutions cannot. Next we need to show a cost >>>> model for the solution that shows that it fits within the >>>> percentage allocated for risk mitigation. >>>> >>>> Once we've done this, I think we will have made a successful >>>> argument for why PKI is good for e-commerce. >>>> >>>> >>>>> a) First find out areas of enablement and ask why and why not. >>>>> Where do folks feel PKI fits in and ask if it fulfills it's promise >>>>> b) Most probably we would need to capture scenarios - touch >>>>> points of PKI in business processes c) We need to explore >>>>> the establishment of trust now and see if >>>>> PKI can simplify >>>>> d) I think it is not the PKI but the automation of the >>>>> processes that is impeding the progress of ecommerce >>>>> e) We should ask vendors how are they deploying PKI now - for >>>>> what processes and to what success >>>>> f) Another important source are the business - what and how do >>>>> they want PKI. We need to get into companies like Ford, Boeing, GE, >>>>> banks as >>>>> well as international companies and governments. >>>>> g) We also might have to separate, compare and contrast PKI the >>>>> technology and business view of PKI functionality. >>>>> Unfortunately like everybody else I am too booked to dig deeper. >>>>> Ecommerce used to be one of my focuses not anymore. >>>>> >>>>> -k. >>>>> >>>>> -----Original Message----- >>>>> From: Steve Hanna [mailto:Steve.Hanna@Sun.COM] Sent: Monday, May >>>>> 10, 2004 1:43 PM >>>>> To: Krishna Sankar >>>>> Subject: Narrowing down electronic commerce >>>>> >>>>> Ages ago (last October), you agreed to help the PKI TC narrow down and >>>>> better understand what our survey respondents might have meant when >>>>> they >>>>> rated electronic commerce as the #3 most important PKI application. >>>>> >>>>> Are you still willing and able to help? If so, what approach do you >>>>> recommend? >>>>> >>>>> Thanks, >>>>> >>>>> Steve >>>>> >>>> >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]