OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-issues message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Notes from issues Subcommittee Meeting - November 11, 2003

Title: Notes from issues Subcommittee Meeting - November 11, 2003

Here are my notes from today's meeting as well as comments received to date.

Members of the Subcommittee who were not on today's call are welcome to participate.  I have agreed to take on two Action Item categories in addtion to pulling togeher the master list, and Sharon will be on travel beginnng next week through the end of December, so other members are welcome to take on a category if you have time...this is explained in the attached meeting Notes.     Just let me know.

Next Subcommittee Meeting: November 17, 2003 at 2PM

John

<<PKI Issues Subcommittee Meeting 111103 -DRAFT NOTES.doc>> <<[pki-issues] More PKI Action Plan comments>> <<[pki-comment] Public Comment>> <<[pki-issues] Feedback on PKI Action Plan>> <<[pki-issues] Comments from PKI Workshop concall participant>> <<[pki-comment] Public Comment>>


------------------------------------------------------------------
John T. Sabo, CISSP
Manager, Security Privacy and Trust Initiatives
Computer Associates International
2291 Wood Oak Drive
Herndon, Virginia, 20171
USA
Phone: +1 703-708-3037
Mobile: +1 443-629-6198

PKI Issues Subcommittee Meeting 111103 -DRAFT NOTES.doc

--- Begin Message --- 
Here are some more comments on the PKI Action Plan.
I have removed identifying information to protect
the privacy of the person submitting the comments.

Thanks,

Steve

---------

In reviewing the draft action plan, an area of concern is
the usage of the term "interoperable". [...] This term is
overused and rarely clearly defined for the specific context
intended. Some vendors and participants may presume the
interoperability problem to exist between PKI implementations.
Others may recognize the interoperability problems as
being between applications enabled to use PKI and the
particular PKI implementations of interest. Still others
may choose to focus on application interoperability when the applications have been enabled to use the same PKI.
It would be helpful to clearly state the context and
boundaries of the term "interoperability".

I agree that reference implementations of PKI and
of applications enabled to use PKI will be a major
contributor to the success of ALL PKIs.  And as you
have said, if more focus is placed on specific
functional areas (such as certificate path validation)
for standardization rather than the proliferation of
substantially repetitive ways to "skin the cat", the
result will be better building blocks.  As we are seeing
in [my organization], the "build it and they will come"
mentality will only carry us so far.

Also, to answer one of your focus questions, I think that
to take two years for fruitful technical guidance may be
under-ambitious.  I understand by my own experience,
though, that the consensus-building effort can be tedious
and drawn out.

S/MIME Cryptographic Signature

--- End Message ---
--- Begin Message ---
Title: [pki-comment] Public Comment

Comment from: csalamon@mitre.org

I understand document signing and secure email as two of three top applications, but I am not sure what application "electronic commerce" refers to.



To unsubscribe from this list, send a post to pki-comment-unsubscribe@lists.oasis-open.org, or visit http://www.oasis-open.org/mlmanage/.


--- End Message ---
--- Begin Message --- 
Here are some comments on the PKI Action Plan that
I received. Let's discuss them at our next meeting.

Thanks,

Steve

--------

I think this is a great effort and I really hope we
are successful. I only had a few comments after reviewing
the document:

Introduction
   I thought the final sentence of the last paragraph was a
   bit too definitive w/o any words to back it up:
   "Within two years, PKI deployment should be substantially
   easier". Perhaps that would be better moved to a conclusion
   section, after telling me about the action plan. Or you
   could insert "our primary goal is that" before "PKI deployment".

P. 4. end, typo: s/Because of/Because
p. 7. typo: s/should unbiased/should be unbiased

Action Items
   Although controversial, we might learn a lot by critiqueing
   existing PKI-enabled applications and explaining the problems
   and/or how they could have made things simpler or more interoperable.

   There's been a trend in the standards in recent years to
   hide and reduce the complexity of PKI by moving it to servers
   (ex: XKMS, DPV/DPD, DSS) but most of these standards are still
   in development or haven't been in the market long enough or have
   had enough application support to know if they will be successful
   in that goal. Does the group plan to encourage deployment of
   these standards as a way to reduce the cost & complexity of
applications
   using PKI?

   I think it is a fine goal to develop guidelines, etc for the
   3 most popular applications, but I think it would also be
   beneficial to document examples of why you should use (or pay for)
   these PKI-enabled applications. This might be addressed by the
   "provide educational materials" AI.

   I think the action items may be placing too much emphasis on
   applications and not enough on the infrastructure. You may
   be able to come up with a simple profile/guidelines for
   using and developing secure email, but if it is still too hard
   and too much cost to obtain and manage a certificate (or the
   benefits of using it are too low), then I think the ball stops
   there, so to speak.

S/MIME Cryptographic Signature

--- End Message ---
--- Begin Message --- 
Here are some comments that Krishna Sankar sent me
after the PKI Labs & PKI Workshop concall. He gave
me permission to pass them on.

Also, I asked Krishna whether he could help us
define the e-commerce application more clearly
and work on addressing obstacles related to that.
He said yes! That will be helpful.

BTW, note that Krishna is an Observer in the PKI TC.

Thanks,

Steve

-------- Original Message --------
Subject: Comments on PKI discussions - E- business
Date: Tue, 21 Oct 2003 18:30:23 -0700
From: "Krishna Sankar" <ksankar@cisco.com>
Reply-To: <ksankar@cisco.com>
To: "'Steve Hanna'" <steve.hanna@sun.com>

Steve,

	Thank you very much for the discussions we had today afternoon.

	Have a couple of thoughts on the e-biz (actually a few ;-)). I used
to work on this when I was at HP and at Cisco.

	a)	Signing collaborative documents (eg.designs) between
organizations
	b)	B2B transactions - Purchase orders, invoices, packing slips
	c)	Govt to Citizen and back - especially in Europe where they
have cards and certs for citizens
	d)	Govt to Business - I think in Italy every business gets it's
own private key for signing stuff during incorporation
	e)	We need to find the e-biz scenarios, documents that folks
want to sign, workflows and business processes involved et al. I used to
be
a member of the ETSI Electronic Signature group. Business scenarios and
workflows are interesting, but are companies incorporating this ? We
need to
find the hammer (govt laws) that need to be compliant and we have the
use
cases. HIPAA, the oxly.. And other laws might require secure signing.

-k.
	

> 
> -----Original Message-----
> From: Steve Hanna [mailto:steve.hanna@sun.com] 
> Sent: Monday, October 20, 2003 11:01 AM
> To: PKI TC
> 
> Here are a few highlights from today's meeting
> of the OASIS PKI Technical Committee:
> 
> 1) We agreed to change our usual meeting time. We'll still
>    meet on the third Wednesday of each month, but now we'll
>    alternate between 11:00 AM Eastern U.S. Time and 12:00 PM
>    (noon). This will be a bit more fair, alternating an
>    inconvenience for Western U.S. participants (starting
>    at 8:00 AM their time) with an inconvenience for U.K.
>    participants (ending at 6:00 PM their time). Our next
>    meeting will be:
> 
>    Date: Wednesday, November 19, 2003
>    Time: 12:00 PM (noon) Eastern U.S. Time
>    Concall # (the usual):
> 
> U.S.:     +1.888.827.2241 (toll-free)
> Non-U.S.: +1.706.679.8701
> Conference Code: 703-708-3037
> 
> 2) We agreed that the Issues Subcommittee (set up earlier
>    for another purpose) will now be rechartered to review
>    feedback on the draft PKI Action Plan and send summaries
>    and recommendations for changes to the PKI TC. The Issues
>    SC's membership and email address will not change. Please
>    send feedback on the Action Plan to this SC at
>    pki-issues@lists.oasis-open.org.
> 
> 3) We discussed several of the comments received in the
>    last few weeks. We agreed that I will make any changes
>    that were agreed to and forward a revised draft Action Plan
>    to the TC list for a brief review period. If there are no
>    objections, this draft will be posted on the TC web site.
> 
> I expect that John Sabo and June Leung will provide more
> complete minutes from the meeting soon, but I know that
> John is travelling now so this may take a while. I'm going
> to start acting on these decisions now, so I thought a
> brief summary email to the list would be wise.
> 
> Thanks,
> 
> Steve

S/MIME Cryptographic Signature

--- End Message ---
--- Begin Message ---
Title: [pki-comment] Public Comment

Comment from: sead@dsv.su.se

You have indicated four action items in your Action Plan. I think they all can be covered very effectively with two actions: (1) create an operational platform (middleware) with all necessary PKI functions, supported by, of course, PKI engines, clients, CA Servers, protocols, etc; and (2) create a set of educational materials for usage of PKI



If (1) is available it solves the first three items from your Action Plan: usage of APIs (object, methods) provides Application Guidelines, "backend" testing of different functions, objects, and protocols performed by interested vendors who support the same STANDARDIZED set of PKI functions solves your item 2, and do not ask application vendors what they need, just offer them ready-to-use Dev Platform for PKI services.



I am writing this suggestion on behalf of my  company, SETECS Corporation, which has such a platform and we are willing to offer it experimentally to the interested members of the OASIS Consortium.



Regards,



Sead Muftic

President/CEO

SETECS Corporation

Rockville, MD

 

To unsubscribe from this list, send a post to pki-comment-unsubscribe@lists.oasis-open.org, or visit http://www.oasis-open.org/mlmanage/.


--- End Message ---

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]