re:[pki-tc] PKI-TC charter issue

[Stephen Wilson <swilson@lockstep.com.au>]

Anders wrote:

> >From the current charter:
> 
> "promote the deployment of the deployment of digital certificates for
> many business purposes including digital signatures. The purpose of
> the PKI TC is to address issues related to the successful deployment
> of digital certificates to meet business and security requirements, as 
> well as technical and integration/interoperability issues"
> 
> As most of us probably have noticed, the web has become a ubiquitous
> channel for information exchange, including advanced services such as
> on-line banking.
> 
> However, this channel does not support digital signatures except through
> proprietary and NDA protected products, giving high costs and zero
> interoperability.
> 
> My question to the PKI-TC members is simply: How do you intend
> to in a practical way address this "standards deficit", which obviously
> does not promote the use of digital signatures?
> 
> thanx
> Anders Rundgren

Anders

I don't see things as bleakly as you do apparently.  Across Asia there are 
dozens of important PKI applications rolling out.  We see significant 
moves towards embedded PKI, especially in smartcards (in Taiwan, they have 
800,000 govt-issued smartcards specifically for PKI enabled apps).  The 
set-top box PKI of OpenCable seems to me to be one of the biggest PKIs 
ever, anywhere, with millions of embedded certificates.  

The main impediments to PKI to date I think are as follows: 

(1) people misunderstood that PKI is really only well suited (or uniquely 
suited shall we say) to signature applications (i.e. paper-like 
transactions) with multiple relying parties, with rather long liefetimes. 

(2) people aimed for a one size fits all, general purpose identifier, when 
in fact, in paper-like e-business, we use multiple 
identities/credentials.  

Therefore, some of the dead-ends of PKI have includes Big Bang electronic 
passport types of business models, e-business exchanges, internet banking, 
and person-to-person e-mail.  Much more fruitful applications have been 
cross border trade documentation, e-health, and patent filing. 

I personally do not think that standards per se are the critical problem.  
Show me one example of a new electronic technology where standards took 
less than say a decade to get sorted out.  Yes we need standards, but it's 
not as critical as getting people to re-imagine PKI in more localised, 
community-of-interest-based deployments. 

Cheers, 


Stephen Wilson
Lockstep Consulting Pty Ltd
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046
Australia

P +61 (0)414 488 851

--------------------

About Lockstep 
Lockstep was established in early 2004 by noted authentication expert 
Stephen Wilson, to provide independent advice and analysis on cyber 
security policy, strategy, risk management, and identity management.  
Lockstep is also developing unique new smartcard solutions to address 
privacy and identity theft. 
Contact swilson@lockstep.com.au.