Re: [pki-guidelines] Re: [pki-guidlines] spc input please

["Anders Rundgren" <anders.rundgren@telia.com>]

Thanx Arshad,
Are you actually planning a real OASIS standard process?
Then we are likely talking about 18-24 months, 50-100 pages of detailed
information, hundreds of hours tel-cons, ballots and God knows what.

BTW, are there actually that many designers in the PKI-TC?

Regarding the draft, I think you should download MSFT's CAPICOM and see
how far you can actually go with an API approach.  I told an MSFT-rep that
if they can show me how you sign HTML with embedded images, I
will let WASP R.I.P..  They have not come back yet in spite of
having 12  months to figure out how to do.  That is, it is the
"view" that seems to be the biggest problem, not the crypto
or the XML.

Anders


----- Original Message -----
From: "Arshad Noor" <arshad.noor@strongauth.com>
To: <pki-guidelines@lists.oasis-open.org>
Cc: <swilson@lockstep.com.au>
Sent: Monday, October 17, 2005 22:02
Subject: [pki-guidelines] Re: [pki-guidlines] spc input please


Anders,

Its not that I don't like it; I don't believe it meets the requirements that I'm focusing on.  I am in the middle of validating
those requirements from 2 end-user customers which will drive this effort (as required by the Member Section of OASIS PKI-TC; as
soon as I receive it their input, I will post it to the list for consensus.  If those requirements are met by WASP, then I believe
we have something we can work with; if not, we'll discuss as a group what will meet those requirements.

If you believe you can gather some end-user requirements that your contacts are willing to support, then please feel free to send
them the attached DRAFT, so they may add/subtract from these requirements.  Thanks.

Arshad Noor
StrongAuth, Inc.

> DRAFT requirements for the "Transaction-PKI" projct
> ===================================================
>
> In order to provide improved security against rising risks,
> the following capabilities are desirable for web-applications:
>
> 1) The ability to digitally sign a web-form using public-key
>     cryptography with a local private-key - i.e. the private-key
>     must reside on the client side of the application;
>
> 2) The ability to encrypt web-form content using public-key
>     cryptography with public-keys embedded in the form, or that
>     can be found using URIs at encrypt-time;
>
> 3) The signing capability must be native in the browser; i.e.
>     there must be no downloaded applets or locally installed
>     plug-ins.  Just as the browser natively performs crypto
>     operations to establish an SSL/TLS session, it must so
>     perform the signing/verification of the form-content in the
>     transaction. The encryption/decryption capabilities must be
>     native to the browser too;
>
> 4) The signing capability must work with any locally-defined
>     crypto token, known to the browser, using either the CAPI
>     or PKCS#11 interfaces;
>
> 5) The capability must leverage existing standards such as
>     XHTML, JavaScript, XForms, XML Signature, XML Encryption,
>     OASIS Web Services Security, etc. where it can.  If new
>     code needs to be written, then the gap must be identified
>     and defined very clearly;
>
> 6) The capability must work with existing browsers - Firefox,
>     IE, Opera and Safari;


----- Original Message -----
From: Anders Rundgren <anders.rundgren@telia.com>
Date: Monday, October 17, 2005 12:05 pm
Subject: [pki-guidlines] spc input please

> Arshad,
>
> I'm still waiting on more info on what you had in mind regarding
> web signing.
> And I'm also curious to know what you don't like in WASP except
> that it does not encrypt.
>
> You may post that to the guideline list.
>
> But as I wrote.  Very little progress can be expected until
> somebody else
> also tries to cast the purchasing process in PKI.
>
> Anders
>
> ----- Original Message -----
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "Stephen Wilson" <swilson@lockstep.com.au>
> Cc: "Anders Rundgren" <anders.rundgren@telia.com>
> Sent: Monday, October 17, 2005 15:15
> Subject: Re: Comments to the DoD - "Smart cards failed" analysis
>
>
> Sigh, because Anders persists on sending some e-mail to us
> directly rather than to the Applications Guidelines SC alias
> despite my request.  To be fair, he is starting to send some
> e-mail to the list.
>
> Stephen, please feel free to respond to the list by explicitly
> adding them to the mail header where you believe it to be
> appropriate.  Thanks.
>
> Arshad
>
> Stephen Wilson wrote:
>
> >
> > PS I am still not sure why this debate is happening between you
> and Arshad
> > and me.
> >
> >
> >
>