[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pki-tc] Bridge CA update?
Stephen et al, To get a fully objective view of this is hard. At least from my Scandinavian perspective I can safely testify that nobody is even talking about BCAs. The reasons are many, here are the most important: - The governments have found a another architecture for G2G communication. This architecture works trust-wise on the domain/org level. - The Scandinavian PKI market is 100% commercial. Commercial certificate vendors don't deal with competitors. - Federated identity management, SAML and RBAC are more extensible concepts than BCAs. - Secure e-mail is not the primary way to "run a business" these days. - The European BCA is a political project having no known user support. Regarding "sector BCAs" I find this idea fairly odd. Let's say that the pharmaceutical industry pulls off the SAFE concept. Doesn't pharmaceutical companies interact with hundreds of other sectors? If the SAFE concept is essentially only targeting the FDA and their counterparts it seems more logical to run a central CA for those probably rather few people who directly interact with government agencies. As governments agencies in different countries probably also have different requirements, it seems pretty hard to even get this considerably reduced scheme to work. ============================================================================ It is this context worth mentioning that the US agencies are almost alone in their decision to use secure mail in their communication with the rest of the society. That is, most other countries mainly target the web. ============================================================================ BTW, I think this issue is much more interesting than "to BCA or not" as the practical consequences are huge to say the least. Also for PKI. However, If you put this information in your report it will not be possible to publish it. I therefore suggest something like: The innovative BCA concept is taking the PKI market by storm. It was conceived by the US federal agencies and has now reached the EU and Asia as well. The private sector have with schemes like SAFE indicated that they indeed also support this idea. The UN is presumed to in the future be running a top-level BCA to eventually tie all disparate bridges together, enabling an entire world to use secure messaging. Sincerely Anders Rundgren PKI Architect etc. (working for a major computer security company but the views expressed here are my own and does not necessarily represent that of my employer) ----- Original Message ----- From: "Stephen Wilson" <swilson@lockstep.com.au> To: <pki-tc@lists.oasis-open.org> Sent: Tuesday, January 25, 2005 01:35 Subject: [pki-tc] Bridge CA update? Dear All Does any one have an independent and up-to-date view of how the US Federal Bridge CA is travelling? I have been told that some agencies are choosing to not be involved with the FBCA, for reasons I think to do with complexity (although I may be wrong about that). Is the take-up rate of the Bridge meeting expectations? Or is there perhaps some caution still (as there is with PKI in general)? And is there a view of what the appearance of other sector-specific Bridges means, in pharma, aerospace etc? Personally, I interpret sector specific Bridges as a sign that PKI itself is naturally sector specific. I am drafting a paper, separate from Oasis activities at this stage, on PKI interoperability models, and am trying to reach a critical, constructive view of the Bridge. I note that a newer European Bridge CA Model appears to be less prescriptive with regards to CP/CPS than the US FBCA. I don't know a lot about the European model yet, but I might hazard a guess that the US FBCA in effect implements cross-certification (with precise policy mapping of all member CAs) whereas the European Bridge might be attempting "cross recognition" where the certificates of members are not taken as mutually equivalent, but rather are recognised for more particular purposes. All feedback most welcome! Cheers, Stephen. Stephen Wilson Lockstep Consulting Pty Ltd ABN 59 593 754 482 11 Minnesota Ave Five Dock NSW 2046 Australia P +61 (0)414 488 851 -------------------- About Lockstep Lockstep was established in early 2004 by noted authentication expert Stephen Wilson, to provide independent advice and analysis on cyber security policy, strategy, risk management, and identity management. Lockstep is also developing unique new smartcard solutions to address privacy and identity theft. Contact swilson@lockstep.com.au. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]