Re:[pki-tc] PKI-TC charter issue

["Anders Rundgren" <anders.rundgren@telia.com>]

Hi Stephen,

I only addressed digital signatures in the most prevalent environment
of all, not other possible PKI problems and misconceptions we may face.

Since you have ties to the Asina PKI community, can you give us any
information on how this part of the world address "Web Sign"?

Regarding the other things you write about I (for those who have the
time to read) comment this in line below

thanx,
Anders Rundgren

>I don't see things as bleakly as you do apparently.

I'm a realist. In spite of the problems 7% of the Swedish population
use digital signatures and PKI on a regular basis.  That's probably a
world record  (per capita).  But frankly those solutions stink as they
are non-mobile, uses NDA protected  signature plugins, and are
due to their "soft" nature hadly more secure than static passwords.

<snip>

>The main impediments to PKI to date I think are as follows: 

>(1) people misunderstood that PKI is really only well suited (or uniquely 
>suited shall we say) to signature applications (i.e. paper-like 
>transactions) with multiple relying parties, with rather long liefetimes. 

I would put it differently.  PKI is the only technology that is suited
for digital signatures but signatures are (in the client context NB)
in fact entirely optional.

>(2) people aimed for a one size fits all, general purpose identifier, when 
>in fact, in paper-like e-business, we use multiple identities/credentials.  

This sounds like an EU idea and has indeed failed.  Except when RPs are
government agencies in a country where there is a working citizen ID.
Like in Sweden.

>Therefore, some of the dead-ends of PKI have includes Big Bang electronic 
>passport types of business models, 

Don't know exactly what you are referring to here

>e-business exchanges, 

That was a really bad idea but I don't think we agree on why!

>internet banking, 

I would be very interested to know why internet banking is not suited for PKI.
All banks in EU want to use PKI.  The reason they usuallly don't is the same
reason as why private enterprises don't: Where is the reader?  There are
other reasons as well like the fact that on-line provision is the norm
but still very badly handled by browser vendors (no standards).

>and person-to-person e-mail.

See e-business exchanges.

(3) added: PKI specialists' fixation with end-to-end security in spite
of that it is impossible to launch without taking down every app there
is and rework not only the SW but the business processes as well.
(usually by adjusting the "business logic" as this layer is in conflict
with the client/user as the only authority).

<snip>

/a