OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pki-tc] Question about PKI and Federated Identity

While I don't want to start a long discussion of Federated Identity 
(FI), I do want to second Steve's comments about the complimentary 
roles of PKI and FI.  Having been working in both areas for several 
years, I would like to add a few thoughts to Steve's.

FI certainly does not replace the function of asymmetric cryptography 
in securing or ensuring the integrity of documents.  For example, 
S/MIME capabilities for general users are not served well, if at all, 
by FI.  (Some have argued that we should all be our own CAs for that 
purpose, but that's another thread.)

What FI does do is mitigate the problem of the meaning of PKI 
certificate content.  In other words, application A or organization X 
does not have to understand the credentials issued by organization Z. 
Instead, it trusts organization Z to assert reliable and relevant 
information about the holder of that credential, using a protocol 
that the application A or organization X can understand.  This, of 
course, is vastly more flexible that any stand-alone credential ever 
could be.  It also can serve to protect end user's privacy by 
controlled release of information, as opposed to revealing the same 
set of information to every relying party.

FI does rely on the trustworthiness of each party in the trust fabric 
and that is the subject of much discussion currently.  Part of that 
trust involves "rules" about how identity credentials are issued and 
managed by the identity provider organization.  This is where PKI 
credentials (and smart chip devices) can play a critical role.  Hence 
there is a natural synergy between FI and PKI.

	David Wasley
	Univ. of Calif.

At 2:45 PM -0500 on 3/17/04, Steve Hanna wrote:

>PKI TC members,
>Here is an email that was sent to the pki-tc-chair
>alias with a comment about Federated Identity
>and PKI. If you would like to reply to this,
>feel free to do so.
>I told Mr. Kershaw that I would pass on this
>note to the PKI TC for comment. I also told
>him about my personal opinion, which is that
>Federated Identity (FI) standards are useful
>and complementary to PKI. FI can use PKI to
>authenticate users (or not). FI typically uses
>PKI to secure communications between trust
>authorities (but not always). FI can reduce
>the need for large PKIs by allowing organizations
>to recognize each others' credentials (although
>many of the same hard issues arise, like
>defining levels of trust and liability).
>So I don't see FI as a panacea or a replacement
>for PKI. Rather, I see them as complementary.
>However, that's just my opinion. Please feel
>free to share yours. And feel free to cc the
>pki-tc alias on your response. I expect we'd
>all be interested in how this discussion proceeds.
>-------- Original Message --------
>Subject: [pki-tc-chair] Widespread adoption of PKI
>Date: Wed, 10 Mar 2004 06:27:43 +0000
>From: Mark Kershaw <mkersh@hotmail.com>
>To: pki-tc-chair@lists.oasis-open.org
>Dear sir/madam,
>I have had a brief look through your action plan and was surprised that
>there was no mention of adoption of Federated Identity standards as a
>way forward for the widespread adoption of PKI.
>Admitedly at the moment these FI standards (Liberty Alliance, Saml,
>WS-Federation) do not cater for services like digital signatures but I'm
>sure this will come in time.
>As a technical architect I know the cost of integrating a PKI solution
>into a product. Federated Identity if it becomes mainstream will solve most
>of these problems. From a solution providers perspective you should
>literally beable to drop any Identity Providers solution into your offering.
>Any comments?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]