Re: [pki-tc] Fwd: PKI SC Status Reports Due Today

["Anders Rundgren" <anders.rundgren@telia.com>]

Arschad,

>I've come to the realization that the single biggest 
>difficulty is the ability to digitally sign a transaction in a 
>web-application in a standardized way.

Absolutely.  But as I mentioned a year ago the whole concept of web-
signatures is essentially unknown in the world of standards organizations:
http://lists.oasis-open.org/archives/pki-tc/200311/msg00000.html

>If you talk to a developer long enough, they will explain many different 
>ways that one can solve this problem, but none that are standardized.

Agreed.  Apart from the fact that there are no web-signature standards,
there is also this other little problem known as end-2-end security.
If applied to e-commerce, you end up with awkward schemes like
having to sign (and thus display) EDI data in the client environment. 
In non-PKI systems, EDI messages are created at server-level which
scales much better and is compatible with browsers and the web.
But doing that  leaves server-PKI as the only viable option for signing
outgoing business messages.  The consequences of such schemes
are very far-fetching, but IMHO about 99% of these are just good.

Note though that such schemes are principally different to the US
federal PKI architecture which is rooted in S/MIME.

Anders Rundgren
PKI Architect etc.