[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Measuring the success of PKI [was: PKI-TC charter issue]
Anders wrote: > Hi Stephen, > > I only addressed digital signatures in the most prevalent environment > of all, not other possible PKI problems and misconceptions we may face. > > Since you have ties to the Asina PKI community, can you give us any > information on how this part of the world address "Web Sign"? Sorry Anders, I am not totally sure what you mean by "web sign". Do you mean applying digital signatures in thin client web apps? Personally I think that XMLsignatures is the key here, allowing more widespread implementation of digital signatures in simple web forms. We don't see a lot of this yet for two reasons: (1) penetration of XML, and (2) more importantly, we're in a PKI lull at the moment where developers and architects don't see the point of doing dig sigs at all (which then reinforces the slow uptake of XMLsignatures). > Regarding the other things you write about I (for those who have the > time to read) comment this in line below > > thanx, > Anders Rundgren > > >I don't see things as bleakly as you do apparently. > > I'm a realist. In spite of the problems 7% of the Swedish population > use digital signatures and PKI on a regular basis. That's probably a > world record (per capita). But frankly those solutions stink as they > are non-mobile, uses NDA protected signature plugins, and are > due to their "soft" nature hadly more secure than static passwords. But why should we measure the success of PKI by the percentage of the general public using it? By its very nature it's not a ubiquitous technology. A very big obstacle we all need to get over is the long lasting misconception that PKI would (or should be) be ubiquitous. We (as PKI advocates in the TC) I think should be very happy if we were to see PKI penetrate say 5% of the population, as long as it was the right 5%, and led to major improvements in the way certain types of e-business -- not all e-business -- is carried out. > <snip> > > >The main impediments to PKI to date I think are as follows: > > >(1) people misunderstood that PKI is really only well suited (or uniquely > >suited shall we say) to signature applications (i.e. paper-like > >transactions) with multiple relying parties, with rather long liefetimes. > > I would put it differently. PKI is the only technology that is suited > for digital signatures but signatures are (in the client context NB) > in fact entirely optional. "Entirely optional"? That seems to me to be a rather sweeping statement. Certainly we have found that signatures are not necessary in internet banking, for the same reason they are not necessary in phone banking: a closed, hub-and-spoke system, where the only RP is at the hub, boils down to (a) access control plus (b) strong audit. But there are countless applications where signatures are most definitely required. In Australia, large consulting projects in a wide range of fields including medical prescriptions, pension funds management, and the real estate industry, have analysed in detail the hundreds of instances where the law here requires a person to sign something. Very few of these instances can be nicely automated online without PKI. My experiences is that when deciding whether to apply PKI or not, the first question should be "If we were doing this thing on paper, would anyone need to sign anything?" and if the answer is no, then we can probably qualify out PKI right away. As we speak, Down Under there are various initiatives underway here to deploy special purpose digital certificates to healthcare workers, lawyers, chartered engineers, and various business licence holders. > >(2) people aimed for a one size fits all, general purpose identifier, when > >in fact, in paper-like e-business, we use multiple identities/credentials. > > This sounds like an EU idea and has indeed failed. Except when RPs are > government agencies in a country where there is a working citizen ID. > Like in Sweden. > > >Therefore, some of the dead-ends of PKI have includes Big Bang > >electronic passport types of business models, > > Don't know exactly what you are referring to here What I meant was that many people thought in the early days, that it would be useful (indeed compelling) to have a multi-purpose digital signature. And as you say, one practical problem is the need to roll out PKI technology to all apps at once, and for all users to have certificates. This "big bang" proved unrealistic (and to make it worse, we didn't have a clear idea which apps were really well suited to PKI, leading to the terrible combination of high project management risk and dramatic over engineering). Incidentally, a few years ago, Jane Winn used the failure of the Big Bang PKI model to damn the entire notion of PKI. In her infamous Emporer Has No Clothes paper whe poo-poohed the fact that people weren't digitally signing e-marriage licences and the like. My response was she was criticising a very poor application of the technology, so her points were entirely academic. > >internet banking, > > I would be very interested to know why internet banking is not suited > for PKI. All banks in EU want to use PKI. The reason they > usuallly don't is the same > reason as why private enterprises don't: Where is the reader? There are > other reasons as well like the fact that on-line provision is the norm > but still very badly handled by browser vendors (no standards). These are reasons for why internet banking with PKI is difficult, but my point is that internet banking with PKI is not necessary. The reason is that internet retail banking works using the same rules as phone banking. It is often said that PKI is better for business banking and indeed I have seen reasonably good aplications in treasury functions etc. This is because these more complicated transactions tend to need signatures (and because the economics can cope with relatively more expensive software development and support issues like smartcard reader deployment). > > >and person-to-person e-mail. > > See e-business exchanges. There is a specific point I make about person-to-person email being a poor choice of killer app. When PKI vendors demo email they tend to illustrate Alice getting digitally signed email from stranger Bob, and then clicking her way through certificates and CP/CPS links and CRLs etc etc etc to determine whether or not to trust Bob. But nobody should seriously expect to do this detective work manually. Real killer apps for PKI usually have a machine acting as the Relying Party. That is, "Alice" is e.g. a server processing incoming forms. The checking of CRLs and CP/CPS etc (actually just comparing Policy OIDs) is done automatically. The other important point in email is that really good PKI apps do not involve transactions between total strangers, but instead involve parties which have a prior business relationship, which is readily instantiated in the form of a certificate issued by one of the parties to the other. For example, a certificate standing for someone's qualification as a patent lawyer, or a licenced customs broker, or a registered medical practitioner. The idea that you can determine a total stranger's trustworthiness from reading their digital certificate is not practical, indeed is almost fanciful. > (3) added: PKI specialists' fixation with end-to-end security in spite > of that it is impossible to launch without taking down every app there > is and rework not only the SW but the business processes as well. > (usually by adjusting the "business logic" as this layer is in conflict > with the client/user as the only authority). Anders, I don't think implementing PKI always requires reworking all business processes and logic. In fact, the better PKI apps succeed by being overlaid on business processes without changing them. For instance, if a paper medical prescription process works by writ of a doctor's licence to practice, then it's very smooth and efficient to issue a digital cert to the doctor that simply represents her medical registration (say with the medical authority acting as RA) and to apply digital signatures in e-prescribing software. Usually this software is fat client, updated every quarter or so with a new version, and easily mopdified to call up some dig sig functions. Cheers, Stephen (the glass is always half full) Wilson. Stephen Wilson Lockstep Consulting Pty Ltd ABN 59 593 754 482 11 Minnesota Ave Five Dock NSW 2046 Australia P +61 (0)414 488 851 -------------------- About Lockstep Lockstep was established in early 2004 by noted authentication expert Stephen Wilson, to provide independent advice and analysis on cyber security policy, strategy, risk management, and identity management. Lockstep is also developing unique new smartcard solutions to address privacy and identity theft. Contact swilson@lockstep.com.au.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]