OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Update on the CDC gateway PKI


I hope that you studied the following, which is the to date only published example on
how the US public sector actually use PKI for sophisticated applications (not e-mail):


What is particularly interesting, is that pages 11-13 show that CDC
use a "gateway" PKI approach rather than the end-to-end security approach
implied by the current Federal PKI architecture.

A valid question arises: Is the CDC scheme unique?

This answer is somewhat funny.  CDC's solution is unique from a technical
point of view.  However, there are probably HUNDREDS of unique gateway
solutions within the federal/state sphere.  The CDC scheme is though likely
to be way ahead of most other schemes.

That all gateway schemes "invent" their own credential scheme and security
measures is because there are no gateway standards[1], recommended credentials,
or guidelines to cling to.  Putting RFC 3280 in the hands of information system
developers and claiming "this is what you need", is a very unrealistic way to get
PKI support on a wider scale.  But this is where we are today.

How can the PKI TC address this?  In my opinion by acknowledging:
1. Gateways is a de-facto standard way of achieving security and interoperability
2. End-to-end security has huge limitations in many important scenarios which
means that if such scenarios are to use PKI, some kind of "cookbook" is needed

Anders Rundgren

1]  The huge pile of WS-* standards do not require/suggest any
particular credential scheme, they are just frameworks.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]