email response to PKI Action Plan

[Steve Hanna <steve.hanna@sun.com>]

Here's one response I got by email from a HEPKI-TAG person.

-Steve

------------

Thanks for giving us an early shot, Steve!

Here are a few responses to snippets of the survey results and action
plan.

> Too Much Focus on Technology, Not Enough on Need [highly ranked]

Instead of "more education for management and users" (which is like
saying "You're not smart enough!") I think what you're hearing is
level-headed folks pointing out that PKI is not magic pixie dust.  I
think the appropriate response to this one is to focus on applications
and specific requirements of significant user communities.

That's what you're starting to do in terms of the focus on application
guidelines for document signing, secure email and electronic commerce,
so that's good.

> Ask Application Vendors What They Need

In concert with the comment above, I think asking *user* communities
what they need is really important.  E.g. what do they want in terms
of that nebulous "electronic commerce"?  Does that really mean "I want
to make money so I'll go where the money is - commerce?", or does it
mean something else more helpful?

E.g. what aspects of "secure email" are they really looking for?
Absence of spam?  Confidentiality?  Authentication?  Might non-PKI
methods (e.g. opportunistic encryption of smtp and/or other changes to
the email infrastructure) be more feasible?

And on document signing, for me the biggest issue is document formats
and providing some assurance that what you signed is what you saw.
Both of these are hard in the current environment.  The most popular
"document" formats are proprietary, complex and very susceptible to
making them look one way when signed and another way when validated.
This makes interoperability pretty hard.

An update on xml-signature would be nice.  But I'm personally still a
fan of plain text signed with S/MIME or PGP until something better
comes along.

nsmail6D.TMP

S/MIME Cryptographic Signature