[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Y2006 - PKI-TC-GUIDELINES@X-ROADS
Anders, I apologize for posting my response (with your original e-mail) publicly; but it is my opinion that issues such as these should be aired publicly. After all, we're a public forum made up of volunteers, and side conversations are what create the perception of conflict-of-interest. Given that, I am a lot more optimistic about TPKI for 2006 than you think. While we in the TPKI project may appear to not have made much progress, we are working through the required process towards creating a standard and that's important in a standards effort. Contrary to your assertion, there are technologies afoot that are bringing our goal closer to reality. I've already mentioned XML Signature, XML Encryption and OASIS' Web Services Security; here is another piece of the puzzle that is filling out the picture: AJAX (Asynchronous Java and XML); see http://www-128.ibm.com/developerworks/webservices/library/ws-ajax1/ Technology is already becoming available in browsers to convert form data into an XML document, which is but one hop away from creating an XML Signature. So, as much as you think that there is no progress in this arena, and that native-browser supported signing is not feasible in the short-term, it is closer than you think. We are not outsourcing the design work; we are merely requesting resources to review technologies such as the above and to provide us more detailed analysis that we cannot complete by ourselves. One way to keep the effort moving forward is for the TPKI team members to perform the analysis themselves and provide the input to the team. For instance, I have looked at XML Signatuers, XML Encryption and WSS fairly closely and believe that this is the mechanism for supporting the capability we want in Browser-to-Application signing and encryption. WSS provides a higher layer that simplifies some of the detail. Implementations are available today from many vendors (including your employer); what remains is for these technologies to get into the browser - but they're getting there. If you'd like to help in the meantime, please feel free to review the IBM technology and how it can be used with XML Signature to sign form content. However, if your day-work does not leave you much time for this, we will wait for the Member SC-funded resource to review this. We all have reasons for participating in volunteer efforts like this, Anders; but there's no denying that all of us are interested in advancing PKI technology. After what some vendors have done by over-zealously hyping it and nearly killing the market, only true believers would stick around promoting PKI even as the market is struggling to find answers to security problems. Arshad Noor StrongAuth, Inc. Anders Rundgren wrote: > Hi Guys, > I do not feel comfortable posting this on the public list but please > read it anyway. > > I hope you don't mind me saying this but I can hardly believe that we > can go on for another year without any schedules for publishing > guidelines and for the progression of the Transaction PKI project. > > If we neither consider us having the time or the competence to do these > tasks, I wonder if it would not be more interesting for both ourselves > and in particular our "audience", if we settle for something less > ambitious but actually doable. > > ------------------------------------------------------------------------ > /*Since the PKI-2-App integration issue tops every survey I have seen, > it would be a pity if we like everybody else "chicken out" on this part > just because it is hard*/ > ------------------------------------------------------------------------ > > *The Transaction PKI project* > I am also skeptical to the idea of "outsourcing" the Transaction PKI > work to an external party because this idea must be based on an > assumption that this is an easy task. Only the number of outstanding > issues regarding the encryption requirement shows that this is not the > case. If the SC assumes that my concerns are ill-founded, I suggest > that we immediately hire somebody to get further. This person will > though most likely only confirm that 5Y+ of secure web application > design may have taught me something about what actually works and what > does not. > > Regarding the research part of Transaction PKI, quite a bit of that was > already published two years ago, and in many different forums: > http://web.telia.com/~u18116613/OnLineWebSignatureStandardRequest.pdf > Nothing of this has AFAIK changed to date. > > BTW, APIs *cannot* be called from Web pages, no matter how nice that > would be. Only specific "trusted" APIs and applications can be called, > which is another thing that unfortunately is in conflict with the > Transaction-PKI requirement to not add extensions or plugins. This > statement can easily be verified by talking to a another browser > security specialist. > > *Another Transaction PKI* > Although I may [surely] be biased, I am interested in donating the WASP > project to Transaction PKI. Launch is only 4-6 months away so it would > bring things up to speed by a couple of years or so. Naturally, *I* > would NOT be named as the sole designer in such a scenario. > > *The Wiz-Kid* > Anyway, if we are going to make a dent in the real world we simply have > to hire an external force as a "sparring partner", not as a designer or > similar! > > *If it does not work out* > The PKI-TC may have another mission to fill for you guys like promoting > your career or business (a perfectly valid reason), but I am personally > more interested in getting something done for the entire PKI community. > Due to this I feel tempted to drop my engagement in the PKI-TC unless I > see some more concrete work in the app section. > > regards > Anders Rundgren > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]