OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-guidelines message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]



I apologize for posting my response (with your original e-mail)
publicly; but it is my opinion that issues such as these should
be aired publicly.  After all, we're a public forum made up of
volunteers, and side conversations are what create the perception
of conflict-of-interest.

Given that, I am a lot more optimistic about TPKI for 2006 than
you think.  While we in the TPKI project may appear to not have
made much progress, we are working through the required process
towards creating a standard and that's important in a standards

Contrary to your assertion, there are technologies afoot that
are bringing our goal closer to reality.  I've already mentioned
XML Signature, XML Encryption and OASIS' Web Services Security;
here is another piece of the puzzle that is filling out the
picture: AJAX (Asynchronous Java and XML); see

Technology is already becoming available in browsers to convert
form data into an XML document, which is but one hop away from
creating an XML Signature.  So, as much as you think that there
is no progress in this arena, and that native-browser supported
signing is not feasible in the short-term, it is closer than you

We are not outsourcing the design work; we are merely requesting
resources to review technologies such as the above and to provide
us more detailed analysis that we cannot complete by ourselves.
One way to keep the effort moving forward is for the TPKI team
members to perform the analysis themselves and provide the input
to the team.

For instance, I have looked at XML Signatuers, XML Encryption and
WSS fairly closely and believe that this is the mechanism for
supporting the capability we want in Browser-to-Application signing
and encryption.  WSS provides a higher layer that simplifies some
of the detail.  Implementations are available today from many
vendors (including your employer); what remains is for these
technologies to get into the browser - but they're getting there.

If you'd like to help in the meantime, please feel free to review
the IBM technology and how it can be used with XML Signature to
sign form content.  However, if your day-work does not leave you
much time for this, we will wait for the Member SC-funded resource
to review this.

We all have reasons for participating in volunteer efforts like
this, Anders; but there's no denying that all of us are interested
in advancing PKI technology.  After what some vendors have done by
over-zealously hyping it and nearly killing the market, only true
believers would stick around promoting PKI even as the market is
struggling to find answers to security problems.

Arshad Noor
StrongAuth, Inc.

Anders Rundgren wrote:
> Hi Guys,
> I do not feel comfortable posting this on the public list but please 
> read it anyway.
> I hope you don't mind me saying this but I can hardly believe that we 
> can go on for another year without any schedules for publishing 
> guidelines and for the progression of the Transaction PKI project.
> If we neither consider us having the time or the competence to do these 
> tasks, I wonder if it would not be more interesting for both ourselves 
> and in particular our "audience", if we settle for something less 
> ambitious but actually doable.
> ------------------------------------------------------------------------
> /*Since the PKI-2-App integration issue tops every survey I have seen, 
> it would be a pity if we like everybody else "chicken out" on this part 
> just because it is hard*/
> ------------------------------------------------------------------------
> *The Transaction PKI project*
> I am also skeptical to the idea of "outsourcing" the Transaction PKI 
> work to an external party because this idea must be based on an 
> assumption that this is an easy task.  Only the number of outstanding 
> issues regarding the encryption requirement shows that this is not the 
> case.  If the SC assumes that my concerns are ill-founded, I suggest 
> that we immediately hire somebody to get further.  This person will 
> though most likely only confirm that 5Y+ of secure web application 
> design may have taught me something about what actually works and what 
> does not. 
> Regarding the research part of Transaction PKI, quite a bit of that was 
> already published two years ago, and in many different forums:
> http://web.telia.com/~u18116613/OnLineWebSignatureStandardRequest.pdf
> Nothing of this has AFAIK changed to date.
> BTW, APIs *cannot* be called from Web pages, no matter how nice that 
> would be.  Only specific "trusted" APIs and applications can be called, 
> which is another thing that unfortunately is in conflict with the 
> Transaction-PKI requirement to not add extensions or plugins.  This 
> statement can easily be verified by talking to a another browser 
> security specialist.
> *Another Transaction PKI*
> Although I may [surely] be biased, I am interested in donating the WASP 
> project to Transaction PKI.  Launch is only 4-6 months away so it would 
> bring things up to speed by a couple of years or so.  Naturally, *I* 
> would NOT be named as the sole designer in such a scenario.
> *The Wiz-Kid*
> Anyway, if we are going to make a dent in the real world we simply have 
> to hire an external force as a "sparring partner", not as a designer or 
> similar!
> *If it does not work out*
> The PKI-TC may have another mission to fill for you guys like promoting 
> your career or business (a perfectly valid reason), but I am personally 
> more interested in getting something done for the entire PKI community.  
> Due to this I feel tempted to drop my engagement in the PKI-TC unless I 
> see some more concrete work in the app section.
> regards
> Anders Rundgren

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]