[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Notes from issues Subcommittee Meeting - November 11, 2003
Here are my notes from today's meeting as well as comments received to date.
Members of the Subcommittee who were not on today's call are welcome to participate. I have agreed to take on two Action Item categories in addtion to pulling togeher the master list, and Sharon will be on travel beginnng next week through the end of December, so other members are welcome to take on a category if you have time...this is explained in the attached meeting Notes. Just let me know.
Next Subcommittee Meeting: November 17, 2003 at 2PM
John
<<PKI Issues Subcommittee Meeting 111103 -DRAFT NOTES.doc>> <<[pki-issues] More PKI Action Plan comments>> <<[pki-comment] Public Comment>> <<[pki-issues] Feedback on PKI Action Plan>> <<[pki-issues] Comments from PKI Workshop concall participant>> <<[pki-comment] Public Comment>>
------------------------------------------------------------------
John T. Sabo, CISSP
Manager, Security Privacy and Trust Initiatives
Computer Associates International
2291 Wood Oak Drive
Herndon, Virginia, 20171
USA
Phone: +1 703-708-3037
Mobile: +1 443-629-6198
PKI Issues Subcommittee Meeting 111103 -DRAFT NOTES.doc
--- Begin Message ---
- From: "Steve Hanna" <steve.hanna@sun.com>
- To: "PKI TC Issues SC" <pki-issues@lists.oasis-open.org>
- Date: Wed, 5 Nov 2003 15:04:21 -0500
Here are some more comments on the PKI Action Plan. I have removed identifying information to protect the privacy of the person submitting the comments. Thanks, Steve --------- In reviewing the draft action plan, an area of concern is the usage of the term "interoperable". [...] This term is overused and rarely clearly defined for the specific context intended. Some vendors and participants may presume the interoperability problem to exist between PKI implementations. Others may recognize the interoperability problems as being between applications enabled to use PKI and the particular PKI implementations of interest. Still others may choose to focus on application interoperability when the applications have been enabled to use the same PKI. It would be helpful to clearly state the context and boundaries of the term "interoperability". I agree that reference implementations of PKI and of applications enabled to use PKI will be a major contributor to the success of ALL PKIs. And as you have said, if more focus is placed on specific functional areas (such as certificate path validation) for standardization rather than the proliferation of substantially repetitive ways to "skin the cat", the result will be better building blocks. As we are seeing in [my organization], the "build it and they will come" mentality will only carry us so far. Also, to answer one of your focus questions, I think that to take two years for fruitful technical guidance may be under-ambitious. I understand by my own experience, though, that the consensus-building effort can be tedious and drawn out.--- End Message ---
--- Begin Message ---Title: [pki-comment] Public Comment
- From: <comment-form@oasis-open.org>
- To: <pki-comment@lists.oasis-open.org>
- Date: Tue, 4 Nov 2003 09:36:41 -0500
Comment from: csalamon@mitre.org
I understand document signing and secure email as two of three top applications, but I am not sure what application "electronic commerce" refers to.
To unsubscribe from this list, send a post to pki-comment-unsubscribe@lists.oasis-open.org, or visit http://www.oasis-open.org/mlmanage/.
--- End Message ---
--- Begin Message ---
- From: "Steve Hanna" <steve.hanna@sun.com>
- To: "PKI TC Issues SC" <pki-issues@lists.oasis-open.org>
- Date: Mon, 20 Oct 2003 14:52:04 -0500
Here are some comments on the PKI Action Plan that I received. Let's discuss them at our next meeting. Thanks, Steve -------- I think this is a great effort and I really hope we are successful. I only had a few comments after reviewing the document: Introduction I thought the final sentence of the last paragraph was a bit too definitive w/o any words to back it up: "Within two years, PKI deployment should be substantially easier". Perhaps that would be better moved to a conclusion section, after telling me about the action plan. Or you could insert "our primary goal is that" before "PKI deployment". P. 4. end, typo: s/Because of/Because p. 7. typo: s/should unbiased/should be unbiased Action Items Although controversial, we might learn a lot by critiqueing existing PKI-enabled applications and explaining the problems and/or how they could have made things simpler or more interoperable. There's been a trend in the standards in recent years to hide and reduce the complexity of PKI by moving it to servers (ex: XKMS, DPV/DPD, DSS) but most of these standards are still in development or haven't been in the market long enough or have had enough application support to know if they will be successful in that goal. Does the group plan to encourage deployment of these standards as a way to reduce the cost & complexity of applications using PKI? I think it is a fine goal to develop guidelines, etc for the 3 most popular applications, but I think it would also be beneficial to document examples of why you should use (or pay for) these PKI-enabled applications. This might be addressed by the "provide educational materials" AI. I think the action items may be placing too much emphasis on applications and not enough on the infrastructure. You may be able to come up with a simple profile/guidelines for using and developing secure email, but if it is still too hard and too much cost to obtain and manage a certificate (or the benefits of using it are too low), then I think the ball stops there, so to speak.--- End Message ---
--- Begin Message ---
- From: "Steve Hanna" <steve.hanna@sun.com>
- To: "PKI TC Issues SC" <pki-issues@lists.oasis-open.org>
- Date: Fri, 24 Oct 2003 16:36:17 -0500
Here are some comments that Krishna Sankar sent me after the PKI Labs & PKI Workshop concall. He gave me permission to pass them on. Also, I asked Krishna whether he could help us define the e-commerce application more clearly and work on addressing obstacles related to that. He said yes! That will be helpful. BTW, note that Krishna is an Observer in the PKI TC. Thanks, Steve -------- Original Message -------- Subject: Comments on PKI discussions - E- business Date: Tue, 21 Oct 2003 18:30:23 -0700 From: "Krishna Sankar" <ksankar@cisco.com> Reply-To: <ksankar@cisco.com> To: "'Steve Hanna'" <steve.hanna@sun.com> Steve, Thank you very much for the discussions we had today afternoon. Have a couple of thoughts on the e-biz (actually a few ;-)). I used to work on this when I was at HP and at Cisco. a) Signing collaborative documents (eg.designs) between organizations b) B2B transactions - Purchase orders, invoices, packing slips c) Govt to Citizen and back - especially in Europe where they have cards and certs for citizens d) Govt to Business - I think in Italy every business gets it's own private key for signing stuff during incorporation e) We need to find the e-biz scenarios, documents that folks want to sign, workflows and business processes involved et al. I used to be a member of the ETSI Electronic Signature group. Business scenarios and workflows are interesting, but are companies incorporating this ? We need to find the hammer (govt laws) that need to be compliant and we have the use cases. HIPAA, the oxly.. And other laws might require secure signing. -k. > > -----Original Message----- > From: Steve Hanna [mailto:steve.hanna@sun.com] > Sent: Monday, October 20, 2003 11:01 AM > To: PKI TC > > Here are a few highlights from today's meeting > of the OASIS PKI Technical Committee: > > 1) We agreed to change our usual meeting time. We'll still > meet on the third Wednesday of each month, but now we'll > alternate between 11:00 AM Eastern U.S. Time and 12:00 PM > (noon). This will be a bit more fair, alternating an > inconvenience for Western U.S. participants (starting > at 8:00 AM their time) with an inconvenience for U.K. > participants (ending at 6:00 PM their time). Our next > meeting will be: > > Date: Wednesday, November 19, 2003 > Time: 12:00 PM (noon) Eastern U.S. Time > Concall # (the usual): > > U.S.: +1.888.827.2241 (toll-free) > Non-U.S.: +1.706.679.8701 > Conference Code: 703-708-3037 > > 2) We agreed that the Issues Subcommittee (set up earlier > for another purpose) will now be rechartered to review > feedback on the draft PKI Action Plan and send summaries > and recommendations for changes to the PKI TC. The Issues > SC's membership and email address will not change. Please > send feedback on the Action Plan to this SC at > pki-issues@lists.oasis-open.org. > > 3) We discussed several of the comments received in the > last few weeks. We agreed that I will make any changes > that were agreed to and forward a revised draft Action Plan > to the TC list for a brief review period. If there are no > objections, this draft will be posted on the TC web site. > > I expect that John Sabo and June Leung will provide more > complete minutes from the meeting soon, but I know that > John is travelling now so this may take a while. I'm going > to start acting on these decisions now, so I thought a > brief summary email to the list would be wise. > > Thanks, > > Steve--- End Message ---
--- Begin Message ---Title: [pki-comment] Public Comment
- From: <comment-form@oasis-open.org>
- To: <pki-comment@lists.oasis-open.org>
- Date: Sat, 8 Nov 2003 15:09:43 -0500
Comment from: sead@dsv.su.se
You have indicated four action items in your Action Plan. I think they all can be covered very effectively with two actions: (1) create an operational platform (middleware) with all necessary PKI functions, supported by, of course, PKI engines, clients, CA Servers, protocols, etc; and (2) create a set of educational materials for usage of PKI
If (1) is available it solves the first three items from your Action Plan: usage of APIs (object, methods) provides Application Guidelines, "backend" testing of different functions, objects, and protocols performed by interested vendors who support the same STANDARDIZED set of PKI functions solves your item 2, and do not ask application vendors what they need, just offer them ready-to-use Dev Platform for PKI services.
I am writing this suggestion on behalf of my company, SETECS Corporation, which has such a platform and we are willing to offer it experimentally to the interested members of the OASIS Consortium.
Regards,
Sead Muftic
President/CEO
SETECS Corporation
Rockville, MD
To unsubscribe from this list, send a post to pki-comment-unsubscribe@lists.oasis-open.org, or visit http://www.oasis-open.org/mlmanage/.
--- End Message ---
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]