RE: [pki-tc] Bridge CA update?

[John Messing <jmessing@law-on-line.com>]

It seems to me that in addition to or in lieu of Bridge analyses, this
group should consider developments around intentional hash collisions
and the research being done about them, and the effects upon the future
of digital signatures and PK.

I may have missed something, but I do not recall the matter even being
discussed by the group yet.

> -------- Original Message --------
> Subject: Re: [pki-tc] Bridge CA update?
> From: "Anders Rundgren" <anders.rundgren@telia.com>
> Date: Tue, January 25, 2005 2:13 am
> To: "Stephen Wilson" <swilson@lockstep.com.au>, "PKI TC"
> <pki-tc@lists.oasis-open.org>
> 
> Stephen et al,
> To get a fully objective view of this is hard.
> 
> At least from my Scandinavian perspective I can safely testify that nobody is
> even talking about BCAs.  The reasons are many, here are the most important:
> 
> - The governments have found a another architecture for G2G communication.
>   This architecture works trust-wise on the domain/org level.
> - The Scandinavian PKI market is 100% commercial.
>   Commercial certificate vendors don't deal with competitors.
> - Federated identity management, SAML and RBAC are more extensible concepts
>   than BCAs.
> - Secure e-mail is not the primary way to "run a business" these days.
> - The European BCA is a political project having no known user support.
> 
> Regarding "sector BCAs" I find this idea fairly odd.  Let's say that the
> pharmaceutical industry pulls off the SAFE concept.  Doesn't pharmaceutical
> companies interact with hundreds of other sectors?  If the SAFE concept is
> essentially only targeting the FDA and their counterparts it seems more logical
> to run a central CA for those probably rather few people who directly interact
> with government agencies.  As governments agencies in different countries
> probably also have different requirements, it seems pretty hard to even get
> this considerably reduced scheme to work.
> 
> ============================================================================
> It is this context worth mentioning that the US agencies are almost alone in
> their decision to use secure mail in their communication with the rest of
> the society.  That is, most other countries mainly target the web.
> ============================================================================
> 
> BTW, I think this issue is much more interesting than "to BCA or not" as the
> practical consequences are huge to say the least.  Also for PKI.
> 
> However, If you put this information in your report it will not be possible to
> publish it.  I therefore suggest something like:
> 
>   The innovative BCA concept is taking the PKI market by storm.  It was
>   conceived by the US federal agencies and has now reached the EU and Asia
>   as well.  The private sector have with schemes like SAFE indicated that they
>   indeed also support this idea.   The UN is presumed to in the future be running
>   a top-level BCA to eventually tie all disparate bridges together, enabling an
>   entire world to use secure messaging.
> 
> Sincerely
> Anders Rundgren
> PKI Architect etc. (working for a major computer security company but the views
> expressed here are my own and does not necessarily represent that of my employer)
> 
> 
> ----- Original Message ----- 
> From: "Stephen Wilson" <swilson@lockstep.com.au>
> To: <pki-tc@lists.oasis-open.org>
> Sent: Tuesday, January 25, 2005 01:35
> Subject: [pki-tc] Bridge CA update?
> 
> 
> 
> Dear All
> 
> Does any one have an independent and up-to-date view of how the US Federal
> Bridge CA is travelling?  I have been told that some agencies are choosing
> to not be involved with the FBCA, for reasons I think to do with
> complexity (although I may be wrong about that).
> 
> Is the take-up rate of the Bridge meeting expectations?  Or is there
> perhaps some caution still (as there is with PKI in general)?
> 
> And is there a view of what the appearance of other sector-specific
> Bridges means, in pharma, aerospace etc?  Personally, I interpret sector
> specific Bridges as a sign that PKI itself is naturally sector specific.
> 
> I am drafting a paper, separate from Oasis activities at this stage, on
> PKI interoperability models, and am trying to reach a critical,
> constructive view of the Bridge.
> 
> I note that a newer European Bridge CA Model appears to be less
> prescriptive with regards to CP/CPS than the US FBCA.  I don't know a lot
> about the European model yet, but I might hazard a guess that the US FBCA
> in effect implements cross-certification (with precise policy mapping of
> all member CAs) whereas the European Bridge might be attempting "cross
> recognition" where the certificates of members are not taken as mutually
> equivalent, but rather are recognised for more particular purposes.
> 
> All feedback most welcome!
> 
> Cheers,
> 
> Stephen.
> 
> 
> 
> Stephen Wilson
> Lockstep Consulting Pty Ltd
> ABN 59 593 754 482
> 
> 11 Minnesota Ave
> Five Dock NSW 2046
> Australia
> 
> P +61 (0)414 488 851
> 
> --------------------
> 
> About Lockstep
> Lockstep was established in early 2004 by noted authentication expert
> Stephen Wilson, to provide independent advice and analysis on cyber
> security policy, strategy, risk management, and identity management.
> Lockstep is also developing unique new smartcard solutions to address
> privacy and identity theft.
> Contact swilson@lockstep.com.au.
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgroup.php.
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgroup.php.