The lack of commercial usage of digital signature
technology is about to change.
David Sweigert, CISSP
----- Original Message -----
Sent: Thursday, February 27, 2003 1:17
PM
Subject: Re: [pki-tc] PKI/e-business IETF
draft co-editor
David,
it should give some indications of one area that
I feel does not work to well.
A powerpoint is also available:
I.e. it is really Web Services that are addressed
as this is what most people believe is where both PKI and e-business will be
in a relatively short period. Below is an extract from another posting
highlighting some basic problems that the work is supposed to
address:
First it is important to note that digital
signatures are virtually non-existent in B2B so what follows here is
"theory". Digital signatures have a major problem which did not
exist in the paper-world. A signature on paper is a
technically imprecise way of giving "authenticy" to a
document. A digital signature on the other hand identifies the
signer in a technically very strong way. Now, lets say that
you have an invoice from ACME Corp (using any of the rather arbitrary ways to
identify this), what is the stronger part of the identity (i.e. the
certificate) supposed to contain? And even worse, if you use personal
signatures what should these contain? John Doe at ACME Corp? Are
business systems supposed to cross-check between the claimed identity in the
business document and the certificate? I believe so, but here there is
mostly zero interoperability and hardly any normative documents to find.
Consortiums like ebXML don't touch such issues and PKI folks typically
shun business systems like the plague. In case anybody of this list is
interested in this area (maybe even co-authoring), I'm currently toiling with
an IETF draft (enclosed), trying to "marry" PKI and business systems. It
is worth noting that the e-Government in Sweden have (in their actual
systems), not yet addressed the idea that a citizen of an other
EU-country would use their certificate, which by the way is rather hard as
there is no universal way to express personal identities either. The
qualified certificate standard does not require globally unique identities so
you could even end-up with name conflicts! PKI is unfortunately an
immature technology originally designed for sending e-mail between individuals
which is rather different to sending messages between or to "machines" as the
latter only "compute" which is not equivalent to humans'
"understand".
Best
Anders R
----- Original Message -----
Sent: Thursday, February 27, 2003
17:08
Subject: Re: [pki-tc] PKI/e-business IETF draft
co-editor
A short note:
It sounds like you
are seeking standards on the process of web-access control an
dauthentication. Can you please define "e-Business" systems in a
more clear manner ?
David Sweigert, CISSP
----- Original
Message ----- From: "Anders Rundgren" <anders.rundgren@telia.com> To:
<pki-tc@lists.oasis-open.org> Sent: Thursday, February 27, 2003 10:25 AM Subject: [pki-tc]
PKI/e-business IETF draft co-editor
> Dear List
members, > > PKI/e-business IETF draft co-editor >
----------------------------------------- > I am trying to find somebody
else who have also worked with combining > e-business systems with
PKI. This is currently an unusual combination in > spite of all
that we have heard about the value of digital signatures. Due to >
this fact, there is an immanent need for addressing this, and in my opinion
also > a need to create one or more Internet Drafts.
However, in applicable standard- > groups like IETF's PKI Working
Group, PKIX, there is to my knowledge hardly > any persons with
suitable backgrounds for such a task. Therefore I
am looking > in other places for a co-editor, or at least somebody to
try new ideas on :-). > >
=========================================================== > In case
you or somebody you know of, could be suitable, please contact
me ASAP! >
=========================================================== > >
These are the approximative "requirements": > > - Knowledge of
business systems architectures and technologies > like Web,
SQL and XML > > - Basic knowledge of PKI > > - An
genuine interest in user- and deployment-related questions > > -
Basic capability of reading technical standards documents > >
Note: This effort is mostly technical but if there is somebody out >
there with an interest in CA business models and liability, this > is
also of interest! > > This is an initial effort to study: >
http://www.x-obi.com/OBI400/draft-rundgren-pkix-pnppki4ws-00.pdf > > Unfortunately you don't get paid by IETF, the
best you can hope for > is that a draft is approved... > >
In case the OASIS PKI-TC is interested, this could be turned into > an
OASIS effort. > > Best Regards > Anders Rundgren >
Senior Internet e-Commerce Architect > +46 70 - 627 74
37 > >
|