[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: email from Jean Pawluk to PKI TC
Jean Pawluk is having trouble getting email through to the PKI TC list, so I want to send this message on her behalf. Thanks, Steve -------- Original Message -------- Subject: RE: [pki-tc] Proposed changes to PKI Action Plan comments Date: Sun, 19 Oct 2003 19:00:00 -0700 From: "Pawluk, Jean" <jpawluk@inovant.com> To: "'Steve Hanna'" <steve.hanna@sun.com>,PKI TC <pki-tc@lists.oasis-open.org> Steve and all, Due to a prior commitment I will miss the majority of the call. However, I would like to add the following comments that I wrote a couple of years ago to t= he IETF PKIX group and I still have not seen a lot of improvement (unless you call looking at= the many vendors slowly sinking into oblivion a solution) from the users point of view. As I have often said, just as a airplane is a very complex bit of machinery that somehow ge= ts off the ground and can transport me from one location to another as a passenger, we need t= o make=20 security solutions such as PKI as easy to use from the passenger (user) point of view. I d= on't want to know=20 about the mechanism unless I am the mechanic or pilot, I just want to pay my fare and to my d= estination. What are we doing to make those seamless yet secure applications a reality ? I think we a= s industry may have done too much work on practices yet very little on how to use it easily. Why shoul= d anyone other than industry specialist be expected to know or care how PKI works? Its ti= me to think outside the PKI silo, so please keep up the good work to date with survey with actions to i= mprove everyone's lot. Regards Jean Sent: Monday, November 12, 2001 12:51 PM To: ietf-pkix=40imc.org=20 Ah, so we are back to one of the original questions of everyday transactions -=20 Who do I trust and just how much do I really trust them? On an everyday basis, people everywhere apply some decision making process (with or without full awareness of the process) to every transaction that occurs between them. To take this a step further, business policy applied to computing systems often tries to make this sort of decision process and apply it to applications. PKI is one way that this trust binding is attempted and it often fails quite miserably. Humans seem to do this relatively effortlessly based on their experiences. What's really wrong with PKI is that is it is difficult for most people to implement and costly to use and it just doesn't happen as quickly as some human judgment call on who they trust in any transaction. Where is the granularity of trust levels, the recognition that trust is temporal and transitive presented in a fairly simple way for the everyday programmer use? We can now plaster the world with X509 certificates in various forms that work the way it was intended (and this has taken several years) but we as a group have done little to make it easy and relatively idiot proof to use PKI in applications (and there are many perfect idiots in our wide world). I have looked into and tested many a CA vendor's toolkit and let me say it just isn't easy to use any of them. Where is the application enabling middleware that is easy to use? (Yes, there are several other standards groups addressing this is some piecemeal fashion and there are some vendors who are beginning to address this space.) I look at a lot of the work being done with PKI and XML in wonderment of really allowing the =22average=22 (read, less experienced) programmer who will follow some standard and then really botch things up, expose keys, etc due to lack of knowledge on how to do it securely. Let's get real and do something about all this, that makes PKI an easy and reliable method of enabling trust on an everyday basis with all the goodness that PKI offers instead of making it so difficult that the average user would rather get a root canal than use PKI. Just my opinion, Jean Pawluk PS As an architect and senior manager I am often astounded how many firms do not know their own business well enough to decide what needs to be secured. -----Original Message----- From: Steve Hanna =5Bmailto:steve.hanna=40sun.com=5D Sent: Friday, October 17, 2003 1:59 PM To: PKI TC Subject: =5Bpki-tc=5D Proposed changes to PKI Action Plan Here is a summary of changes to the PKI Action Plan that have been suggested during the last few weeks of confidential review. I have divided these proposed changes into two categories: 1) those that I think may be controversial or that are especially substantive and should therefore be discussed in the PKI TC meeting on Monday 2) those that I don't think we need to discuss, since there is probably a consensus on them Please bring this email to our Monday meeting so we can discuss these changes. If you have received any other suggestions for changes, please send them to the PKI TC email list. Also let me know if you think I have missed any changes sent to the PKI TC list. I will note here again that I am concerned the PKI TC will become overwhelmed by the volume of comments. I expect this will be even more of a problem once we open the document up for public review. I suggest again that we consider creating an Action Plan editing committee that would receive comments, evaluate them to decide how they should be handled, and send periodic reports to the PKI TC on what comments have been received and how they have been handled. I will raise this as a formal proposal at our meeting on Monday. Thanks, Steve P.S. I'm a little concerned about copyright issues when taking changes verbatim from someone's suggestion. Unless we have explicit permission from an author to use their wording in our Action Plan, I will reword things enough to resolve copyright concerns. Sun Microsystems (my employer) has agreed to donate copyright on my work on this document to OASIS. And I'm going to considerable lengths to make sure that I don't copy text from anywhere. ------- Proposed Changes to be discussed: 1. From John Sabo The comment, =22Within two years, PKI deployment should be substantially easier.=22 may be too optimistic given harsh reality. How about =22 The PKI TC believes that a serious effort by industry practitioners to execute the action plan will contribute to increased usage.=22 --or something along those lines. 2. From John Sabo In seeking comments on the action plan, I suggest abet more specfificity in what we are asking for with respect to comments, and perhaps a more direct request for help in developing a multi-facted plan, with the TC working with other bodies, vendors, users, etc. to achieve our goals of accelerated use of PKI.=20 I suggest that we more directly seek input from a variety of stakeholders as to the viability of the plan, the relative importance of action steps, the resources and level of effort necessary to achieve specific deliverables, work already underway or planned which will address these issues, the appropriate bodies internationally that may be best positioned to deal with specific actions, and whether (and how) such a plan should be coordinated among stakeholders. =20 I am suggesting this in part because major efforts have been undertaken (e.g., EEMA PKI Challenge)with huge resource investments, and they have come up with some progress, but no ultimate solution on very specific issues. I just think the plan suggests that the task is easily achieved...may be read by some experienced people that we are perhaps a bit naive regarding the complexity of the issues etc. My suggestion then would be to directly acknowledge the challenge and yet offer the action plan as an effort to establish a multi-faceted and coordinated effort. At the ISSE2003 conference there has been lots of talk about PKI, and how it never achieved its promise, how most of the issues aren';t technical, etc etc...a very big context and lots of activities have been undertaken,and yet there are large deployments coming about (e.g., Spanish e-Identity card)despite the obstacles -- hence my suggestions about acknowledging such efforts, and seeking assistance in building a industry-wide plan. 3. From HEPKI-TAG: * There are lots of educational materials on PKI available now. What's wrong with them?=20 * End user materials are needed. * Managers don't understand the benefits of PKI. 4. From HEPKI-TAG: * There's too much focus on technology. We need to focus on applications. Understand what people need and why. Then we can show how PKI (or alternatives) can address that. 5. From HEPKI-TAG: * There are lots of user interface problems. Users should be able to control whether they encrypt email messages on their hard disk (which is sometimes undesirable). 6. From HEPKI-TAG: * We need more training for auditors on how to audit lightweight and heavyweight PKI installations. 7. From HEPKI-TAG: * Prebaked PKI configurations have been tried and they weren't used. Like PKI Lite. * The reason why they haven't been used is that it's so hard to get lightweight CA and application software. 8. From HEPKI-TAG: * With web-based PKI, there's no way to force the user to reauthenticate. That's a problem if the user has walked away from their desk, leaving their smart card or soft token activated. 9. From HEPKI-TAG: * Are you =5Bthe PKI TC=5D going to act before February? 10. From HEPKI-TAG: * Applications should use the PKI support that's built into the operating system. Then they'll get smart card support automatically. 11. From a HEPKI-TAG Member: > Too Much Focus on Technology, Not Enough on Need =5Bhighly ranked=5D Instead of =22more education for management and users=22 (which is like saying =22You're not smart enough=21=22) I think what you're hearing is level-headed folks pointing out that PKI is not magic pixie dust. I think the appropriate response to this one is to focus on applications and specific requirements of significant user communities. That's what you're starting to do in terms of the focus on application guidelines for document signing, secure email and electronic commerce, so that's good. > Ask Application Vendors What They Need In concert with the comment above, I think asking *user* communities what they need is really important. E.g. what do they want in terms of that nebulous =22electronic commerce=22? Does that really mean =22I want to make money so I'll go where the money is - commerce?=22, or does it mean something else more helpful? E.g. what aspects of =22secure email=22 are they really looking for? Absence of spam? Confidentiality? Authentication? Might non-PKI methods (e.g. opportunistic encryption of smtp and/or other changes to the email infrastructure) be more feasible? 12. From a HEPKI-TAG Member: And on document signing, for me the biggest issue is document formats and providing some assurance that what you signed is what you saw. Both of these are hard in the current environment. The most popular =22document=22 formats are proprietary, complex and very susceptible to making them look one way when signed and another way when validated. This makes interoperability pretty hard. An update on xml-signature would be nice. But I'm personally still a fan of plain text signed with S/MIME or PGP until something better comes along. 13. From Anders Rundgren: AFAIK web-based signing in spite of being a much needed feature for on-line activties is not even a standards task. Every bank, e-government have therefore to deploy their own unique or purchased signature plugin. 14. From Anders Rundgren: I seems that the standards used for on-line certification suffer from a real-world disconnect as well as being non-standard. Microsoft's Xenroll is a non-portable solution. I'm puzzled that nobody digs into this as on-line certification schemes are the only thing that scales. The real-world disconnect is that in all *real* certification schemes for individuals the *provider* wants to control every parameter it can. BTW, if somebody is interested in this area I'm interested in doing something here=21 15. From Anders Rundgren: AFAIK none of the major leading or obscure vendors of PKI-enabled cards have donated support to Windows. 16. From FPKITWG: In further discussion of costs, ROI was mentioned by some as the real key to addressing costs. Others, including Michele Rubenstein, expressed the view that someone needs to come up with documentation on the total cost of ownership for PKI, not just ROI. She mentioned some related work that the Directory Forum in the Open Group is pursuing for directory.=20 17. From FPKITWG: The only real discussion of the action plan was around testing. The PKITS and NIST Protection Profiles are familiar to this group and will address interop issued that relate to conformance (as well as a common set of functions for all clients). However for non-path-validation topics there was some interest in the Open Group taking up a role for other testing. Note that there were some Open Group folks in the room and it was they who expressed this interest. Proposed Changes to be made without discussion: 1. From John Sabo: In the introduction, para 2: =22But high costs and interoperability problems have limited the use of PKI.=22 I'd suggest saying =22But a number of barriers, including lack of applications, high costs, poor understanding of its benefits, and interoperability problems have contributed to the limited use of PKI.=22 2. From John Sabo: Last Paragraph, Section 2.0: I would suggest deleting the sentence, =22Membership fees are quite low, especially for individuals and non-profit organizations.=22 This seems to make it more like a commercial than an invitation.
S/MIME Cryptographic Signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]