OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: On Anders Rundgren's PKI ROI thoughts

Hi Anders,
Here is the response from one of the Education SC members.
thanks june

June Leung
Manager, PKI Department
FundSERV Inc.
1730 130 King St W
Toronto ON M5X 1E5
T. 416.350.2516
F. 416.362.6668 





-----Original Message-----
From: swilson@galexia.com.au [mailto:swilson@galexia.com.au]On Behalf Of
Stephen Wilson
Sent: Sunday, September 05, 2004 10:27 PM
To: June Leung
Cc: swilson@lockstep.com.au
Subject: On Anders Rundgren's PKI ROI thoughts



June

Here's my response to Anders' very good and interesting thoughts.  


> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> Sent: Thursday, August 19, 2004 2:27 AM
> To: June Leung; pki-tc@lists.oasis-open.org
> Cc: Kefeng Chen (E-mail)
> Subject: [pki-tc] ROI Was: [pki-tc] Reports for Education SC for Aug 04
> PKI TC
> 
> 
> June et al.
> May I comment a bit on the ROI issue?
> 
> There are three potential sources of ROI
> 1. Security related cost reductions (less fraud etc.)
> 2. Administration related cost reductions (eliminating 
> the "userid/password hell")
> 3. Enabling services that for technical and (sometimes) legal 
> reasons must use PKI. 

This is a good structure for understanding ROI.  I would re-cast #3 
as "services that for risk management reasons must use PKI".  My view is 
that PKI is best for paper-like transactions which require a 
persistent 'mark' (signature).  In certain cases, it is risk management 
that says we should use a digital signature, especially when there are 
multiple relying parties as Anders says.  Cases include e-health, patent 
applications, trade documentation, company reporting etc. 
 

> To estimate #1 is probably impossible for all but banks as only 
> banks have the volume and the statistics needed to do such 
> calculations.   Here I would like to mention that many banks have 
> lately become hesitant regarding the EMV card as they have found 
> out that the most fraud problems are on the Internet and here the 
> EMV card does not work.  Well, theoretically it could
> but nobody seems prepared to pay for the readers and software required.
> Quite a few banks have therefore implemented server-based payment
> schemes like 3D Secure that effectively delays the introduction of "true"
> PKI solutions.   This delay may very well turn out to be *indefinite* as
> the server-schemes have a huge, and so far mostly unexploited potential.

Lots of interesting points here! 

To begin with, it would be very nice to label EMV as an embedded PKI 
application.  Are we all comfortable doing so?  Technically, PKI might not 
be turned on in all cases.  

The issue of paying for readers may be evaporating before our eyes with 
vendors increasingly featuring built-in readers.  After Microsoft announed 
in Jan 2003 that smartcards were part of their strategic vision, it took 
Dell just 15 weeks to release the first Latitude Notebook with a reader. 

Regarding 3D, pardon my ignorance, but I thought a 'full blown' 
implementation would in fact utilise keys on the client side, like the old 
SET.  If so, then once smartcards are widespread, then we should see 3D 
come into play for e-commerce transactions.  

Without some active and tamper resistant (smartcard based) cryptography at 
the client end, I fear that all server schemes will remain vulnerable to 
attacks of various forms. 

> Regarding #2, SSO is still not a reality in most large organizations, 
> greatly limiting the value of a PKI.  Another problem is that 
> users nowadays need to access the Intranet from different locations 
> and devices, making non-mobile, "fat" solutions like PKI very awkward.

I agree with Anders that category #2 is not important, but I think I agree 
for different reasons!  I don't think SSO is a killer app for PKI.  The 
problem is it doesn't eliminate the fundamental vulnerability of 
passwords, until you move to two factor PKI like smartcards or USB keys.  


> Left is in my opinion #3.  In this segment we almost exclusively find
> various public sector related organizations.  

I defintely agree that #3 represents the strongest for return on 
investment.  There are whole classes of paper-like e-business which you 
wouldn't dare conduct without the safety of persistent digital 
signatures.  I don't think these applications are inherently confined to 
the public sector, although this is indeed where the action is right now. 

One of the best case studies for ROI from a new transaction system is the 
US Patent & Trademark Office.  Entrust had some good documentation on 
their website about this.  I'll chase it up separately. 


> Many of these exploit the
> primary feature of PKI, One-to-Many-Authentication (rather than only
> security which other solutions can offer as well).  If you have
> 
> - Numerous relying parties
> - A common identity system (like national IDs)
> 
> then PKI has a lot to offer in terms of ROI (and convenience).

The multiple RP criterion is a very strong one.  On the one hand, any e-
business transaction can in theory be authenticated by NON PKI methods 
(like classical server side SSL plus passwords, as in net banking) but as 
the nukmber of RPs goes up, the forensic cost of re-winding disputed 
transactions spirals out of control because there is no certainty over the 
veracity of the authentication evidence over dispirate systems.  So it's 
the multiple RP scenario where PKI becomes *uniquely* beneficial. 

I agree too with "common identity system" BUT I don't think it necessarily 
means national ID.  Rather, common business identifiers are a very 
powerful and more practicable sub-structure for PKI.  Registered medical 
professionals, chartered engineers, accountants etc etc are all excellent 
candidates for scheme-specific PKI which instantiates their qualifications 
(aka professional IDs). 


> Unfortunately the unavailability of mobile, secure, convenient, 
> de-facto standard, and cheap "PKI containers" have forced also 
> quite a few of these customers into the server-schemes offered 
> by SAML et al.  These are often also using PKI but in very 
> different form.

The abstraction of "PKI containers" is very powerful.  In Australia there 
is an early stage project in the state of Queensland concerning smartcard 
driver licences.  The headline objective is to eliminate identity theft by 
exploiting the card's resistance to skimming.  But they are very 
deliberately positioning the smartcard as a potential container for keys 
to support general purpose PKI applications.   See also 
http://www.transport.qld.gov.au/new_driver_licence



> I think it would be wise to mention somewhere that server-PKI in many
> cases have replaced client-PKI due to the fact that the web has become
> the media of choice for service providers.   Secure e-mail is not 
> a system for the masses and this is really the true origin of 
> client-side PKI.

I don't know if this is precisley what Anders is getting at, but here's 
what I believe is one of the great conceptual hurdles that PKI has made 
for itself ... it's the misconception that person-to-person secure email 
is the primary application for PKI.  In almost all of the worked examples 
of digital certificates in the vendor literature, we see strangers Alice 
and Bob exchanging e-mails, reading each others' certificates, and working 
out from the CA, the CPS etc whether or not the other person is 
trustworthy.  It's craziness.  Real, interesting, important e-business is 
conducted NOT between strangers but rather between people who recognise 
one another's credentials, either because of a first hand relationship 
(usually contractual) or a second hand relationship (usually chartered, as 
between a qualified doctor and other parties who recognise the doctor). 

And the thought that recipients of e-business tranbsactions will have to 
read the certificates (much less the CP/CPS) really makes a mockery of 
PKI.  Digitally signed transactions are usually read by machines, not 
people, and processed automatically on the basis that the certificate's 
Policy OID or something else has been pre-configured in the receiver's 
software. 


> Client-side PKI will come but the private sector will not care much until
> it beats passwords from day one.  This is probably some 5-10 years
> away and will be the outcome of a rather brutal (de-facto) standards-
> battle we see emerging on the horizon.

I think client side PKI will come in the form of embedded certificates in 
containers like smartcards.  PKI will be delivered to users via schemes, 
like credit card agreements, insurance contracts, voter registration, 
pension scheme contracts, professional registration, loyalty programme 
enrolments etc.  I am more optimistic that many of the these programmes 
are a lot closer than 5-10 years. 

Cheers, 

Steve.


Stephen Wilson
Lockstep Consulting
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046
Australia

P +61 (0)414 488 851





> regards
> Anders Rundgren
> 
> ----- Original Message -----
> From: "June Leung" <June.Leung@FundServ.com>
> To: <pki-tc@lists.oasis-open.org>
> Cc: "Kefeng Chen (E-mail)" <kefengc@geotrust.com>
> Sent: Tuesday, August 17, 2004 20:53
> Subject: [pki-tc] Reports for Education SC for Aug 04 PKI TC
> 
> 
> In the past couple of months, the Education SC did some research. (see 
attached)  Wedivided the sites/material into 4 categories.
> Value/Benefits, ROI, Risk Management and Applicability.  We were able to 
find casestudies/examples supporting most of the
> categories (except ROI).
> 
> We are ready for the next step and would like to get some feedback from 
the TC.
> 
> 1) We are having a difficult time locating ROI, Risk Management info.  
Do you think it'snecessary to have this information handy to
> assist business people in making decisions on whether their company 
should considerimplementing PKI?
> 
> 2) If the answer is "Yes", do you know where we can locate this info?  
We are alsothinking of having someone assist us in writing
> the documentation if we can't locate them.
> 
> 3) We would like to post our results, and we are thinking that the PKI 
resource page wouldbe a natural spot.
> http://www.pkiforum.org/resources.html  Do you agree?
> 
> 4) We also require contractor's assistance to revamp the resource page.  
Some of the infois not current and links no longer exist.
> If we hire a contractors, will we be able to share resources with the 
other SCs?
> 
> thanks
> june
> 
> 
> June Leung
> Manager, PKI Department
> FundSERV Inc.
> 1730 130 King St W
> Toronto ON M5X 1E5
> T. 416.350.2516
> F. 416.362.6668
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------------------------
-------
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of 
the OASIS TC), goto
> http://www.oasis-open.org/apps/org/workgroup/pki-
tc/members/leave_workgroup.php.
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of 
the OASIS TC), goto http://www.oasis-open.org/apps/org/workgroup/pki-
tc/members/leave_workgroup.php.
> 

--
<Put email footer here>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]