OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pki-tc] PKI/e-business IETF draft co-editor

Todd – The Government of Canada started our PKI development in 1996.  Here is a link to the relevant web site Government of Canada PKI

I don’t think we have a “case study” type document, but you might find the information of some value.  Have a look at it, and if you need more specific info let me know.


That is our “internal” to GoC PKI.  We also have a very large Government On-Line CA, which is part of our Secure Channel Project.





Ross Smith

PKI Secretariat | Secrétariat de l'ICP

IT Security (ITS) | Sécurité des TI (STI)

Chief Information Officer Branch | Direction du dirigeant principal de l'information

Treasury Board of Canada, Secretariat | Secrétariat du Conseil du Trésor du Canada

Ottawa, Canada K1A 0R5

613-946-7735 | Smith.Ross@tbs-sct.gc.ca | facsimile/télécopieur 613-996-1476




-----Original Message-----
From: Todd Colvin [mailto:todd.colvin@search.org]
Sent: March 5, 2003 3:27 PM
To: Anders Rundgren; pki-tc@lists.oasis-open.org
Subject: RE: [pki-tc] PKI/e-business IETF draft co-editor




Do you know of any good reference material that has detailed information regarding an actual implementation of PKI? I'm looking for something that is sort of a case study that explains what exactly was done, why, and what did not work and why it did not. Also, for now I'm more focused on internal PKI systems rather than something used for e-commerce, although an internal-use system with support for email encryption and digital signatures is of interest as well.



Todd Colvin
Computer Training Specialist
SEARCH Group, Inc.
7311 Greenhaven Dr., Suite 145
Sacramento, CA 95831
(916) 392-2550 Fax (916) 392-3271

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Friday, February 28, 2003 12:07 AM
To: David Sweigert; pki-tc@lists.oasis-open.org
Subject: Re: [pki-tc] PKI/e-business IETF draft co-editor


The commercial use of digital signatures is grooving but I claim that the sector I'm most involved in, B2B transactions, will be one of the last one to use such.  Mainly due to the almost total disconnect between PKI and business systems not only on a technical ground (the thing the IETF draft is addressing), but basic questions like what kind of certificates you actually need.  The enclosed discussion papers shed some light on this question.  This part is by the way now discussed in the EU and quite a number of countries now fully support the idea of legal-entity-only signatures, in spite of not having a counter-part in the physical world.  Still, a number of people out there claim that this is "madness".


I also consider business models as represented by Identrus et al (relying-party-paid) as a sure way to make B2B stay away from using PKI or rather use their own PKI in a hub-and-spokes way (the big party issues certificates for their smaller customers/suppliers to use) which does not scale very well.  As Bill Gates wrote already 1995: There should be no markup on (non-payment) business transactions over the Internet, just inexpensive software.  But banks, who have strong aspirations in the CA segment, have a long frustrating journey ahead of them, before they finally will realize that identification is not yet another payment system.  Trust and identity, in contrast to payments, can be "settled" between two parties on their own, which makes the difference.


To my knowledge not a single of the numerous e-invoice projects run by banks over the world use PKI.  My guess is that PKI is rightfully experienced as too messy.  Without working TTPs having reasonable offerings, shared secrets seem much simpler to deploy as such can be communicated in simple ways including verbally.  PKI is technically redundant unless you achieve a peer-to-peer based operation which is currently virtually non-existent for other reasons as well.


The only working PKI markets I know of is Web server certificates by VeriSign et al and local PKIs supporting e-Governments.


For individuals, the fact that the smart card industry have not after 10 years or so managed to come up with a standard PKI card and built-in support in major OSes, still makes PKI "non-standard" in the eyes of IS-managers.  To store certificates on the hard disk is not an alternative in a corporate environment.


BTW, I hope that the PKI-TC will address some or all of the issues raised here.




----- Original Message -----

To: Anders Rundgren ; pki-tc@lists.oasis-open.org

Sent: Thursday, February 27, 2003 22:00

Subject: Re: [pki-tc] PKI/e-business IETF draft co-editor


The lack of commercial usage of digital signature technology is about to change.


David Sweigert, CISSP

----- Original Message -----

To: pki-tc@lists.oasis-open.org

Sent: Thursday, February 27, 2003 1:17 PM

Subject: Re: [pki-tc] PKI/e-business IETF draft co-editor



If you take a look on the link I supplied
http://www.x-obi.com/OBI400/draft-rundgren-pkix-pnppki4ws-00.pdf )

it should give some indications of one area that I feel does not work to well.


A powerpoint is also available:



I.e. it is really Web Services that are addressed as this is what most people believe is where both PKI and e-business will be in a relatively short period.  Below is an extract from another posting highlighting some basic problems that the work is supposed to address:


First it is important to note that digital signatures are virtually non-existent in B2B so what follows here is "theory".   Digital signatures have a major problem which did not exist in the paper-world.  A signature on paper is a technically imprecise way of giving "authenticy" to a document.  A digital signature on the other hand identifies the signer in a technically very strong way.  Now, lets say that you have an invoice from ACME Corp (using any of the rather arbitrary ways to identify this), what is the stronger part of the identity (i.e. the certificate) supposed to contain?  And even worse, if you use personal signatures what should these contain?  John Doe at ACME Corp?  Are business systems supposed to cross-check between the claimed identity in the business document and the certificate?  I believe so, but here there is mostly zero interoperability and hardly any normative documents to find. Consortiums like ebXML don't  touch such issues and PKI folks typically shun business systems like the plague.  In case anybody of this list is interested in this area (maybe even co-authoring), I'm currently toiling with an IETF draft (enclosed), trying to "marry" PKI and business systems.  It is worth noting that the e-Government in Sweden have (in their actual systems), not yet addressed the idea that a citizen of an other EU-country would use their certificate, which by the way is rather hard as there is no universal way to express personal identities either.  The qualified certificate standard does not require globally unique identities so you could even end-up with name conflicts!  PKI is unfortunately an immature technology originally designed for sending e-mail between individuals which is rather different to sending messages between or to "machines" as the latter only "compute" which is not equivalent to humans' "understand".



Anders R


----- Original Message -----

From: "David Sweigert" <dgsweigert@airbridge.net>

To: "Anders Rundgren" <anders.rundgren@telia.com>; <pki-tc@lists.oasis-open.org>

Sent: Thursday, February 27, 2003 17:08

Subject: Re: [pki-tc] PKI/e-business IETF draft co-editor


A short note:

It sounds like you are seeking standards on the process of web-access
an dauthentication.  Can you please define "e-Business" systems in a more
clear manner ?

David Sweigert, CISSP

----- Original Message -----
From: "Anders Rundgren" <
To: <
Sent: Thursday, February 27, 2003 10:25 AM
Subject: [pki-tc] PKI/e-business IETF draft co-editor

> Dear List members,
> PKI/e-business IETF draft co-editor
> -----------------------------------------
> I am trying to find somebody else who have also worked with combining
> e-business systems with PKI.  This is currently an unusual combination in
> spite of all that we have heard about the value of digital signatures.
Due to
> this fact, there is an immanent need for addressing this, and in my
opinion also
> a need to create one or more Internet Drafts.   However, in applicable
> groups like IETF's PKI Working Group, PKIX, there is to my knowledge
> any persons with suitable backgrounds for such a task.   Therefore I am
> in other places for a co-editor, or at least somebody to try new ideas on
> ===========================================================
> In case you or somebody you know of, could be suitable, please contact me
> ===========================================================
> These are the approximative "requirements":
> - Knowledge of business systems architectures and technologies
>   like Web, SQL and XML
> - Basic knowledge of PKI
> - An genuine interest in user- and deployment-related questions
> - Basic capability of reading technical standards documents
> Note: This effort is mostly technical but if there is somebody out
> there with an interest in CA business models and liability, this
> is also of interest!
> This is an initial effort to study:
> Unfortunately you don't get paid by IETF, the best you can hope for
> is that a draft is approved...
> In case the OASIS PKI-TC is interested, this could be turned into
> an OASIS effort.
> Best Regards
> Anders Rundgren
> Senior Internet e-Commerce Architect
> +46 70 - 627 74 37

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]