OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Web (browser) PKI Standards - A study

Dear all,

I have on behalf of a client, taken the liberty to investigate the state of
client-side PKI support in web-browsers with respect to standards
and interoperability.  There were several reasons for performing this
study, and a major such was that we have found that none of the pretty
large Nordic e-government initiatives and on-line banks, actually use
the browsers' built-in client-side PKI mechanisms at all, most of them
rather rely on Java applets developed by various ISVs.  The reason for
this is very obvious:

=============================================
   Practically every piece of client-side Web-PKI, ranging
   from on-line certification support to on-line (web-form)
   signing, is currently entirely vendor-dependent
=============================================

Some people point to Microsoft and Netscape and maintain that this
situation is "their fault".  I believe this explanation is far too simplistic.
Here is another analysis for what it is worth:

1) The SW industry supplying basic technology such as operating systems
and browsers, is entirely dominated by US companies.  However, the US
is also severely lagging with respect to the usage of PKI which probably
is taken as a sign by these SW vendors that "there is no market for PKI".

2) The financial sector in Europe and Asia were the first to take advantage
of large-scale usage of client-side PKI and digital signatures.  However,
the very same financial sector has also demonstrated marginal interest in
participating in the development of standards that "anybody" could use.

3) The public sector is the second largest user of PKI (here again looking
at Europe and Asia), but seems generally lacking a "voice" in the few
organizations that actually "set the standards".  It is rather the opposite,
the public sector appears to be heavily dependent on external consultants
that usually also have strong ties to certain vendors and their working,
but unfortunately mostly proprietary solutions.

Assuming that there will be billions of users of Web-PKI in a few years
from now (here adding the crowd likely to use "The Mobile Internet"),
it seems that there are quite a few things that need to be fixed.

Regards
Anders Rundgren
Independent Consultant, PKI and e-business
+ 46 70 627 74 37 (on CET)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]