Anders,
Do you
know of any good reference material that has detailed information regarding an
actual implementation of PKI? I'm looking for something that is sort of a case
study that explains what exactly was done, why, and what did not work and why it
did not. Also, for now I'm more focused on internal PKI systems rather than
something used for e-commerce, although an internal-use system with support for
email encryption and digital signatures is of interest as
well.
Thanks,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Todd Colvin Computer Training Specialist SEARCH Group, Inc. 7311 Greenhaven
Dr., Suite 145 Sacramento, CA 95831
(916) 392-2550 Fax (916) 392-3271 http://www.search.org/
David,
The commercial use of digital signatures is
grooving but I claim that the sector I'm most involved in, B2B transactions,
will be one of the last one to use such. Mainly due to the almost total
disconnect between PKI and business systems not only on a technical ground
(the thing the IETF draft is addressing), but basic questions like what kind
of certificates you actually need. The enclosed discussion papers shed
some light on this question. This part is by the way now discussed in
the EU and quite a number of countries now fully support the idea of
legal-entity-only signatures, in spite of not having a counter-part in the
physical world. Still, a number of people out there claim that this is
"madness".
I also consider business models as represented by
Identrus et al (relying-party-paid) as a sure way to make B2B stay away from
using PKI or rather use their own PKI in a hub-and-spokes way (the big party
issues certificates for their smaller customers/suppliers to use) which does
not scale very well. As Bill Gates wrote already 1995: There should be
no markup on (non-payment) business transactions over the Internet, just
inexpensive software. But banks, who have strong aspirations in the CA
segment, have a long frustrating journey ahead of them, before they finally
will realize that identification is not yet another payment system.
Trust and identity, in contrast to payments, can be "settled" between two
parties on their own, which makes the difference.
To my knowledge not a single of the numerous
e-invoice projects run by banks over the world use PKI. My guess is
that PKI is rightfully experienced as too messy. Without working
TTPs having reasonable offerings, shared secrets seem much simpler to deploy
as such can be communicated in simple ways including verbally. PKI
is technically redundant unless you achieve a peer-to-peer based operation
which is currently virtually non-existent for other reasons as
well.
The only working PKI markets I know of is Web
server certificates by VeriSign et al and local PKIs supporting
e-Governments.
For individuals, the fact that the smart card
industry have not after 10 years or so managed to come up with a standard PKI
card and built-in support in major OSes, still makes PKI "non-standard" in the
eyes of IS-managers. To store certificates on the hard disk is not an
alternative in a corporate environment.
BTW, I hope that the PKI-TC will address some or
all of the issues raised here.
Anders
----- Original Message -----
Sent: Thursday, February 27, 2003
22:00
Subject: Re: [pki-tc] PKI/e-business
IETF draft co-editor
The lack of commercial usage of digital
signature technology is about to change.
David Sweigert, CISSP
----- Original Message -----
Sent: Thursday, February 27, 2003
1:17 PM
Subject: Re: [pki-tc] PKI/e-business
IETF draft co-editor
David,
it should give some indications of one area
that I feel does not work to well.
A powerpoint is also available:
I.e. it is really Web Services that are
addressed as this is what most people believe is where both PKI and
e-business will be in a relatively short period. Below is an extract
from another posting highlighting some basic problems that the work is
supposed to address:
First it is important to note
that digital signatures are virtually non-existent in B2B so what
follows here is "theory". Digital signatures have a major
problem which did not exist in the paper-world. A signature on
paper is a technically imprecise way of giving "authenticy"
to a document. A digital signature on the other hand identifies
the signer in a technically very strong way. Now, lets say
that you have an invoice from ACME Corp (using any of the rather arbitrary
ways to identify this), what is the stronger part of the identity (i.e.
the certificate) supposed to contain? And even worse, if you use
personal signatures what should these contain? John Doe at ACME
Corp? Are business systems supposed to cross-check between the
claimed identity in the business document and the certificate? I
believe so, but here there is mostly zero interoperability and hardly any
normative documents to find. Consortiums like ebXML don't touch such
issues and PKI folks typically shun business systems like the
plague. In case anybody of this list is interested in this area
(maybe even co-authoring), I'm currently toiling with an IETF draft
(enclosed), trying to "marry" PKI and business systems. It is worth
noting that the e-Government in Sweden have (in their actual systems),
not yet addressed the idea that a citizen of an other EU-country
would use their certificate, which by the way is rather hard as there is
no universal way to express personal identities either. The
qualified certificate standard does not require globally unique identities
so you could even end-up with name conflicts! PKI is
unfortunately an immature technology originally designed for sending
e-mail between individuals which is rather different to sending messages
between or to "machines" as the latter only "compute" which is not
equivalent to humans' "understand".
Best
Anders R
----- Original Message -----
Sent: Thursday, February 27, 2003
17:08
Subject: Re: [pki-tc] PKI/e-business IETF
draft co-editor
A short note:
It sounds like
you are seeking standards on the process of web-access control an
dauthentication. Can you please define "e-Business" systems in a
more clear manner ?
David Sweigert, CISSP
-----
Original Message ----- From: "Anders Rundgren" <anders.rundgren@telia.com> To: <pki-tc@lists.oasis-open.org> Sent: Thursday, February 27, 2003 10:25 AM Subject:
[pki-tc] PKI/e-business IETF draft co-editor
> Dear List
members, > > PKI/e-business IETF draft co-editor >
----------------------------------------- > I am trying to find
somebody else who have also worked with combining > e-business
systems with PKI. This is currently an unusual combination
in > spite of all that we have heard about the value of digital
signatures. Due to > this fact, there is an immanent need for
addressing this, and in my opinion also > a need to create one or
more Internet Drafts. However, in
applicable standard- > groups like IETF's PKI Working Group,
PKIX, there is to my knowledge hardly > any persons with suitable
backgrounds for such a task. Therefore I am looking >
in other places for a co-editor, or at least somebody to try new ideas
on :-). > >
=========================================================== > In
case you or somebody you know of, could be suitable, please contact
me ASAP! >
=========================================================== > >
These are the approximative "requirements": > > - Knowledge of
business systems architectures and technologies > like
Web, SQL and XML > > - Basic knowledge of PKI > >
- An genuine interest in user- and deployment-related
questions > > - Basic capability of reading technical
standards documents > > Note: This effort is mostly technical
but if there is somebody out > there with an interest in CA business
models and liability, this > is also of interest! > >
This is an initial effort to study: > http://www.x-obi.com/OBI400/draft-rundgren-pkix-pnppki4ws-00.pdf > > Unfortunately you don't get paid by IETF,
the best you can hope for > is that a draft is
approved... > > In case the OASIS PKI-TC is interested, this
could be turned into > an OASIS effort. > > Best
Regards > Anders Rundgren > Senior Internet e-Commerce
Architect > +46 70 - 627 74
37 > >
|