Your PKI-TC input

["Anders Rundgren" <anders.rundgren@telia.com>]

Jean,
I got the message you sent to the PKI-TC.

I still think that we (the PKI experts), have a lot of things
to cater for before we can "sell" PKI to the world in a big
way.  Local PKIs works AFAIK quite well, it is rather
when we talk about organization-to-organization messaging
that I at least feel that things break down a bit.

IMHO the PKI dogma that says that digital signatures and
certificates primary are for replacing legally binding handwritten
signatures is the primary culprit for this mess.

Roughly 100% of existing high-value and high-volume EDI-style
B2B and bank-to-bank transactions are authenticated at the business
partner level through the use of leased lines, shared secrets, VPNs etc.

As long as we. the PKI community, continue to ignore this fact,
and update our visions accordingly, costs will be prohibitive,
interoperability "suck", and results be pretty marginal.

Even the EU have recently acknowledged that "signing legal entities"
is a necessity.  Particularly for automated processes where no
individual may be involved.  Invoicing is a major such activity.
But if this "works" for invoices shouldn't it also "work" for purchase
orders etc?  Certainly!  And voila, an entirely new PKI is born!

I'm very pleased to see that several European e-governments are
actually building IT-architectures secured by PKI, but separating
PKIs for G2G transactions from PKIs for C2G.

Regarding what is legally binding, I believe *anything* that constitutes
a strong technical evidence, is likely to end-up as applicable in a
court of law.  10 years ago DNA didn't make it, today it does.

Anders Rundgren