re:[pki-ms] Re: Recruitment

[Stephen Wilson <swilson@lockstep.com.au>]

Well said Arshad! I look forward to a robust discussion on the next call. 

Just a few ideas ... 

-- I think the PKI 'crisis' has much to do with poor articulation in the
past of what PKI is really for.  Its proponents still tend to talk in vague
generalities about "non-repudiation" etc.  PKI has no monopoly on
non-repudiation!  The real benefits are more subtle, and require
proposnents to think clearly and differently about lasting transaction
authentication (i.e. 'signatures') versus fleeting access control. 

With a poorly articulated value proposition, PKI remains vulnerable to
*perceived* disruptive technologies like biometrics.  Actually the
technology is not vulnerable but its mind share is terribly fragile.  I am
sure we have all wasted countless hours answering management questions
about whether the latest gizmo is going to supersede digital signatures. 

-- I think poor participation in the TC has a lot to do with IT companies
being frighteningly busy, and employees being frightened.  With so much FUD
around PKI, there are not many people in companies who feel empowered to
spend time promoting it.  

-- I think an expectation that businesses will start using PKI per se, is
like asking a bank to "use" ferro-magnetics.  Complex technologies often
have to be deeply bundled, which is why I think it is useful to think in
terms of a digital certificate supply chain.  We might have to put more
distance between the wholesale issuers of keys & certs ('raw materials'
akin to ferrite powderd and tapes) and the deployment of apps that use
those 'raw materials' in convenient value-added forms (like smartcards,
cell phones, set-top boxes etc.) 

-- I think the PKI TC's historic role of implementing the PKI Action Plan
is still a good way of focusing and avoinding overlap on technical
standards development with PKIX etc.  There is still much valuable work to
do under Action Plan issues like engaging with vendors, education,
application facilitation, show-casing and collaboration.  


Cheers, 

Stephen. 


Stephen Wilson
Lockstep Consulting Pty Ltd
www.lockstep.com.au
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046
Australia

P +61 (0)414 488 851

--------------------

About Lockstep 
Lockstep was established in early 2004 by noted authentication expert
Stephen Wilson, to provide independent specialist advice and analysis on
identity management, PKI and smartcards.  Lockstep is also developing
unique new smartcard solutions to address privacy and identity theft. 



> Thank you for bringing this up, Ann.
> 
> I still need to discuss protocol with John Sabo and OASIS, but one of
> the most important things I wanted to do after becoming elected Chair
> of the TC, was to do some soul-searching in the first meeting to figure
> out the TC's direction and relevance.
> 
> There are lots of questions on my mind now that I've been a member of
> the TC for a little over a year, the the 2 most important ones are:
> 
> 1) As a technical committee, what technology standards do we establish
>     given that PKIX establishes international technical standards for
>     PKI, and W3C has established XMLSignature, XMLEncryption and XKMS
>     as standards?  If we cannot answer this question, then we need to
>     figure out what is our charter.
> 
> 2) The TC conducted a survey 2-3 years ago that highlighted why people
>     were not using PKI.  Yet, many countries around the world, the US
>     Federal Government, the cable/satellite industry, the DRM world all
>     use PKI in one form or another.  What is the real reason that the
>     general business applications/IT developers shun PKI?  (Being an
>     applications developer myself, I have some notions on this that I'd
>     like to discuss in the TC, but I want to hear from everybody else
>     first).
> 
> After I've had a chance to talk to John, I intend to send an e-mail
> to the TC to think about these questions and to join us in the
> dicussion in this month's session.  I know one hour is not going to
> be sufficient for this topic, but I want to get the discussion going
> over e-mail first and summarize in the call, if possible.
> 
> I think the observers are not participating because of the relevance
> issue (someone I know in the PKI industry confirmed that yesterday
> in a lunch conversation); so if we address that, participation will
> follow.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> Terwilliger, Ann wrote:
> > At our last meeting we talked about the importance of recruiting 
> > additional active participants.  I was looking at our membership list 
> > and we have many observers but relatively few active participants 
> > (voting members) particularly from the PKI vendor community.  In 
> > addition to recruiting new members we might consider some sort of 
> > communication out to our observers, particularly those in the vendor 
> > community or those who are the sole representative from a company, to 
> > encourage them to participate more actively as voting members.  This 
> > would give us more varied points of view and potentially also increase 
> > our funding for projects (most of the funding available to us today is 
> > the carryover from the PKI Forum).  This might be worth discussing at 
> > the TC meeting next week.
> > 
> > I have contacted RSA to encourage them to actively participate again and 
> > am awaiting their feedback.
> > 
> > *Ann Terwilliger | Director of Security Projects - PKI|*
> > *Technology Management | Visa International | 650.432.3661*
> > 
> > *NOTICE*
> > *This email message and any attachments are intended only for the use of 
> > the addressee named above and may contain information that is privileged 
> > and confidential.  If you are not the intended recipient, any 
> > dissemination, distribution, or copying is strictly prohibited.  If you 
> > received this email message in error, please immediately notify the 
> > sender by replying to this email message or by telephone to the Visa 
> > switchboard at 1(650) 432-3200.  Thank you.*
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> 

--
<Put email footer here>