Signautures: [pki-tc] Was: On Anders Rundgren's PKI ROI thoughts

["Anders Rundgren" <anders.rundgren@telia.com>]

>From: swilson@galexia.com.au [mailto:swilson@galexia.com.au]
>I defintely agree that #3 represents the strongest for return on 
>investment.  There are whole classes of paper-like e-business which you 
>wouldn't dare conduct without the safety of persistent digital 
>signatures.  I don't think these applications are inherently confined to 
>the public sector, although this is indeed where the action is right now. 

Although I principally agree, the ability to sign documents or transactions
in a web environment is actually 100% vendor-defined.  "Vendor" does
in this context not refer to browser/OS vendors but to various security
ISVs, consultants, and in-house suppliers.

That is, in spite of decades of talks about digital signatures, we still don't
have the means to do it in a cost-efficient fashion, and particularly not in an
_interoperable_ way.    That signed e-mail is standard is all and well but
this is not where the action is today.

The only browser vendor that have expressed any interest in this matter
is Microsoft, but unfortunatly they want to do it on their own and only
support it in "Longhorn".  I'm less convinced that this is what e-governments
and on-line banks are looking for, as they are in no position to convert their
entire user-base into using a single operating system no matter how
good it might be.

So for now, PKI is (on a wider scale) effectively limited to providing
"strong authentication".  It is worth noting though that there are other
and less complex means to obtain this in a web environment, here
thinking of One Time Passcode systems which have the tremendous
advantage of not requiring any additional client software or readers.

regards
Anders Rundgren