Re: [pki-tc] Measuring the success of PKI [was: PKI-TC charter issue]

["Anders Rundgren" <anders.rundgren@telia.com>]

c-i-l

Stephen wrote:

>Sorry Anders, I am not totally sure what you mean by "web sign".  Do you 
>mean applying digital signatures in thin client web apps?

The following is a fairly good description of web sign.  Page #6 is the actual definition.

http://web.telia.com/~u18116613/onlinesigstdprop.ppt

>Personally I think that XMLsignatures is the key here, allowing more widespread 
>implementation of digital signatures in simple web forms. 

Absolutely.

>We don't see a  lot of this yet for two reasons: (1) penetration of XML,
>and (2) more  importantly, we're in a PKI lull at the moment where developers and 
>architects don't see the point of doing dig sigs at all (which then 
>reinforces the slow uptake of XMLsignatures). 

I cannot verify this.  XML is huge.  XML signatures is in good use.  But it is
mostly happening on the server side as the client platform is still inferior

<snip>

>But why should we measure the success of PKI by the percentage of the 
>general public using it?

It is at least one way to measure.  By doing that I would say that Sweden
is about FOUR MAGNITUDES more successful than the US :-)

>By its very nature it's not a ubiquitous  technology.  

I don't agree a single bit on that.  PKI will long-term become
more used than passwords for on-line services.

>A very big obstacle we all need to get over is the long 
>lasting misconception that PKI would (or should be) be ubiquitous. 

Since 50% of the entire Swedish population can get a PKI cert
today, I have some problems with this statement of yours.  Maybe
you refer to the universal use of a specific PKI? That's another issue
in my opinion.  Which I agree on BTW.

>We (as PKI advocates in the TC) I think should be very happy if we were to see 
>PKI penetrate say 5% of the population, as long as it was the right 5%, 

We are as I told you far ahead of this goal already.  With EMV cards
for payments using PKI we get some 35% penetration of a special
purpose PKI.

>and led to major improvements in the way certain types of e-business -- 
>not all e-business -- is carried out. 

IMHO all e-business can without doubt benefit from using PKI
*technology* but that involves everything from EMV payments in
a shop to server-signed B2B POs.

What kind of e-business would not gain by using PKI technology?

<snip>

>But there are countless applications where signatures are most definitely 
>required.  In Australia, large consulting projects in a wide range of 
>fields including medical prescriptions, pension funds management, and the 
>real estate industry, have analysed in detail the hundreds of instances 
>where the law here requires a person to sign something.  Very few of these 
>instances can be nicely automated online without PKI. 

I believe you are limiting the use of signatures by connecting it to law.
Digital signatures is a way to show intent.  That is, you can indeed
sign up for a dentist appointment using signatures.  This is already
implemented in Sweden.

<snip>

>These are reasons for why internet banking with PKI is difficult, but my 
>point is that internet banking with PKI is not necessary.  The reason is 
>that internet retail banking works using the same rules as phone banking.  

Now you are into this legal business again.  PKI should be
compared to long passwords and OTPs.  PKI is MUCH more convenient
as well as withstands any amounts of server-break-in attempts.
Passwords and OTPs typically lock the account after a few consecutive errors.
That could cost tons of money.

Signatures actually combine an intent (transaction request) with a
procedure and security and is IMO useful for paying simple
bills.  If the signature software is appropriate that is.  I do
this all the time actually...

>It is often said that PKI is better for business banking and indeed I have 
>seen reasonably good applications in treasury functions etc.  This is 
>because these more complicated transactions tend to need signatures (and 
>because the economics can cope with relatively more expensive software 
>development and support issues like smartcard reader deployment). 

I do not agree.  It is volume apps that benefit from PKI.  Things that
you only do occasionally you might as well do the conventional way.
But I of course again see this from a consumer perspective which is
due to the fact that in EU, PKI is mostly a consumer movement.

>The other important point in email is that really good PKI apps do not 
>involve transactions between total strangers, but instead involve parties 
>which have a prior business relationship, which is readily instantiated in 
>the form of a certificate issued by one of the parties to the other.  For 
>example, a certificate standing for someone's qualification as a patent 
>lawyer, or a licenced customs broker, or a registered medical 
>practitioner.  The idea that you can determine a total stranger's 
>trustworthiness from reading their digital certificate is not practical, 
>indeed is almost fanciful.  

Violently agree!

>Anders, I don't think implementing PKI always requires reworking all 
>business processes and logic. In fact, the better PKI apps succeed by 
>being overlaid on business processes without changing them.  For instance, 
>if a paper medical prescription process works by writ of a doctor's 
>licence to practice, then it's very smooth and efficient to issue a 
>digital cert to the doctor that simply represents her medical registration 
>(say with the medical authority acting as RA) and to apply digital 
>signatures in e-prescribing software.  Usually this software is fat 
>client, updated every quarter or so with a new version, and easily 
>mopdified to call up some dig sig functions. 

One problem is when this e-prescription is about to be transferred to
the pharmacy because message encryption which is a necessity in
this sector is incompatible with everything else. 
http://w1.181.telia.com/~u18116613/A.R.AppliedPKI-Lesson-1.pdf

The following is a real example of e-health worth studying:
http://middleware.internet2.edu/pki05/proceedings/kailar-phinms.ppt

If individual signatures were to be added, they should (IMO)
be stored locally together with other audit info.

In fact, here I believe this TC is on the wrong track.  But "fortunately"
this TC is in very good company, there are numerous other "PKI-TCs"
and they all refuse to acknowledge the notion that an information
system can be "authorative".   We, the system architects have worked
with this "paradigm" since day #1 and see no reason to change. 
On the contrary, this is a wonderful way to create a scalable PKI. 
There is a reason why VeriSign have 1 billion relying parties for their
SSL CA as well as a million paying subscribers!

Here you already have a truly ubiquitous PKI BTW.

Cheers
Anders Rundgren