RE: [pki-tc] FW: On Anders Rundgren's PKI ROI thoughts

[John Messing <jmessing@law-on-line.com>]

Please see inline comments.

> Stephen Wilson wrote in part on  Sunday, September 05, 2004 10:27 PM
> To: June Leung
> Cc: swilson@lockstep.com.au
> Subject: On Anders Rundgren's PKI ROI thoughts

> > Regarding #2, SSO is still not a reality in most large organizations, 
> > greatly limiting the value of a PKI.  Another problem is that 
> > users nowadays need to access the Intranet from different locations 
> > and devices, making non-mobile, "fat" solutions like PKI very awkward.
> 
> I agree with Anders that category #2 is not important, but I think I agree 
> for different reasons!  I don't think SSO is a killer app for PKI.  The 
> problem is it doesn't eliminate the fundamental vulnerability of 
> passwords, until you move to two factor PKI like smartcards or USB keys.  
> 
> 
> > Left is in my opinion #3.  In this segment we almost exclusively find
> > various public sector related organizations.  
> 
> I defintely agree that #3 represents the strongest for return on 
> investment.  There are whole classes of paper-like e-business which you 
> wouldn't dare conduct without the safety of persistent digital 
> signatures.  I don't think these applications are inherently confined to 
> the public sector, although this is indeed where the action is right now. 
> 
> One of the best case studies for ROI from a new transaction system is the 
> US Patent & Trademark Office.  Entrust had some good documentation on 
> their website about this.  I'll chase it up separately. 
> 
As an infrequent and frustrated end-user, I find that the USPTO PKI
system is extremely awkward to use and is seemingly administered in
puzzling ways. Some legal practitioners report prefering the older
paper methods because they are much easier
to use and less fraught with the possibilities for human error at the
receiving end.
> 
> > Many of these exploit the
> > primary feature of PKI, One-to-Many-Authentication (rather than only
> > security which other solutions can offer as well).  If you have
> > 
> > - Numerous relying parties
> > - A common identity system (like national IDs)
> > 
> > then PKI has a lot to offer in terms of ROI (and convenience).
> 
> The multiple RP criterion is a very strong one.  On the one hand, any e-
> business transaction can in theory be authenticated by NON PKI methods 
> (like classical server side SSL plus passwords, as in net banking) but as 
> the nukmber of RPs goes up, the forensic cost of re-winding disputed 
> transactions spirals out of control because there is no certainty over the 
> veracity of the authentication evidence over dispirate systems.  So it's 
> the multiple RP scenario where PKI becomes *uniquely* beneficial. 
> 
I disagree with this scenario. So long as each transaction is uniquely
identified, a secure audit trail can be automatically generated that
should scale admirably and be fully admissible in a US court as
competent evidence.

> I agree too with "common identity system" BUT I don't think it necessarily 
> means national ID.  Rather, common business identifiers are a very 
> powerful and more practicable sub-structure for PKI.  Registered medical 
> professionals, chartered engineers, accountants etc etc are all excellent 
> candidates for scheme-specific PKI which instantiates their qualifications 
> (aka professional IDs). 
> 
Agreed if each identifier organization securely performs the
registration function or its respective records can be used for that
purpose by third party vendors.
> 
> > Unfortunately the unavailability of mobile, secure, convenient, 
> > de-facto standard, and cheap "PKI containers" have forced also 
> > quite a few of these customers into the server-schemes offered 
> > by SAML et al.  These are often also using PKI but in very 
> > different form.
> 
> The abstraction of "PKI containers" is very powerful.  In Australia there 
> is an early stage project in the state of Queensland concerning smartcard 
> driver licences.  The headline objective is to eliminate identity theft by 
> exploiting the card's resistance to skimming.  But they are very 
> deliberately positioning the smartcard as a potential container for keys 
> to support general purpose PKI applications.   See also 
> http://www.transport.qld.gov.au/new_driver_licence
> 
> 
I think this response does not fully meet Anders' point, which I
understand to say that with a server's
tamper-evident seal, the authentication can be done externally and
baked into the document beneath the signature at runtime, which is
cheaper and easier than a full-blown PKI relying upon client
certificates to do both tamper-evident sealing and authentication
through a CA pursuant to the provisions of often arcane and difficult
to compare certification practice statements.
> 
> > I think it would be wise to mention somewhere that server-PKI in many
> > cases have replaced client-PKI due to the fact that the web has become
> > the media of choice for service providers.   Secure e-mail is not 
> > a system for the masses and this is really the true origin of 
> > client-side PKI.
> 
> I don't know if this is precisley what Anders is getting at, but here's 
> what I believe is one of the great conceptual hurdles that PKI has made 
> for itself ... it's the misconception that person-to-person secure email 
> is the primary application for PKI.  In almost all of the worked examples 
> of digital certificates in the vendor literature, we see strangers Alice 
> and Bob exchanging e-mails, reading each others' certificates, and working 
> out from the CA, the CPS etc whether or not the other person is 
> trustworthy.  It's craziness.  Real, interesting, important e-business is 
> conducted NOT between strangers but rather between people who recognise 
> one another's credentials, either because of a first hand relationship 
> (usually contractual) or a second hand relationship (usually chartered, as 
> between a qualified doctor and other parties who recognise the doctor). 
> 
> And the thought that recipients of e-business tranbsactions will have to 
> read the certificates (much less the CP/CPS) really makes a mockery of 
> PKI.  Digitally signed transactions are usually read by machines, not 
> people, and processed automatically on the basis that the certificate's 
> Policy OID or something else has been pre-configured in the receiver's 
> software. 
> 
True, but in a real-life contract dispute, judges and juries may have
to consider what the CP/CPS mean in terms of legal duties where a PKI
was used to sign a document of a contested transaction or matter. This
means the provisions will assume overriding importance at some time in
the future if and when litigation ensues, regardless of how consumers,
business entities, and governmental officials actually treat them
currently in their day-to-day affairs.
> 
> > Client-side PKI will come but the private sector will not care much until
> > it beats passwords from day one.  This is probably some 5-10 years
> > away and will be the outcome of a rather brutal (de-facto) standards-
> > battle we see emerging on the horizon.
> 
> I think client side PKI will come in the form of embedded certificates in 
> containers like smartcards.  PKI will be delivered to users via schemes, 
> like credit card agreements, insurance contracts, voter registration, 
> pension scheme contracts, professional registration, loyalty programme 
> enrolments etc.  I am more optimistic that many of the these programmes 
> are a lot closer than 5-10 years. 
> 

With all due respect,  I think it will not come about at all until there
are suitable registration practices that  meet the needs of relying
parties. A principal reason why one cannot obtain high ticket items on
credit online is because no relying party fully trusts a PKI to deliver
an enforceable
judgment in the event of a default.

My view is that PKI sells to the wrong party, who is the subscriber. It
excludes the relying party from the purchase, who has a greater if not
the sole interest in the quality of service that a PKI will provide. So,
people who buy certs are without an incentive to care about their
quality, in order to obtain goods or services from other people whose
needs may be ignored. This has forced some relying parties into the
position of trying to become their own CA's, each to its own,
resulting in differing procedures, logic and controls that can hamper
interoperability.

Anders' solution of a central server for signing to whom clients
authenticate via client-side enabled SSL has much to commend it,
particularly where relying parties trust the server's ownership and
control.

As for security, a central server that signs for authenticated clients
should present no greater risk of key compromise than a CA that signs
certificates using a single private key.

John Messing
American Bar Association representative to OASIS
Member, LegalXML Steering Committee
Chair, eNotary TC
Chair, American Bar Association eFiling Committee