OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: re:[pki-tc] FW: Digital signatures and PKI in the United States

Dear Barbara

I have some ideas for your research; see below.  I can speak with 
experience from the Asia Pacific area mainly, if that helps. 


Stephen Wilson
Lockstep Consulting Pty Ltd

11 Minnesota Ave
Five Dock NSW 2046

P +61 (0)414 488 851


About Lockstep 
Lockstep was established in early 2004 by noted authentication expert 
Stephen Wilson, to provide independent advice and analysis on cyber 
security policy, strategy, risk management, and identity management.  
Lockstep is also developing unique new smartcard solutions to address 
privacy and identity theft. 

> All,
> If any of you have a moment to help out a German student working on a
> thesis, she has some questions below.  She got a failure trying to email
> directly to the list (which was my suggestion), so if you respond, you 
> might want to email her directly.
> =david
> From: Barbara Weindl [mailto:barbara.weindl@rl-ag.com] 
> Sent: Tuesday, July 26, 2005 10:03 AM
> To: Skyberg, David
> Subject: AW: Digital signatures and PKI in the United States
> Hi David,
> Thank you for your response.
> I will contact the PKI TC as well. Thank you in advance.
> Below there would be some questions for you:
> *         For which processes do companies use digital signatures? 

The trend in Asia Pacific is to implement digital signatures for 
transactions which are: 

- reasonably high in volume 
- routine and structured (like forms)
- conducted between parties which have special credentials (like 
  professionals, licensed brokers, govt officials etc) 
- long lived (so the credentials have to be verifiable over long 
  periods of time) 
- relied upon my multiple parties (unlike Internet banking where there 
  is just one RP, the bank). 

> *         Do companies in the automotive industry are using digital
> signatures for example between suppliers and OEM’s? (for example for
> invoices?)

There is an automtive supply chain project in Australia called AANX which 
uses PKI operated by a company in Melbourned called KeyTrust. 
> *         Do they have one certification authority for the whole 
> automotive industry? 

For AANX I believe there is a single CA. 

> (I wrote an e-mail to General Motors and I got the answer that they do 
> not use digital signatures “because they can be easily duplicated”!)

They must think you were referring to digitized signatures (images). It's 
sad that they are so confused.  

> *         Do you know if the pharmaceutical industry is using PKI?

As a whole, I am not sure.  But Johnson & Johnson have a huge enterprise 
wide PKI deployed with USB Keys.  J&J Security Director Richard Guida has 
made many presentations on this and his slides are easily found using 

I understood that a pharma had plans some two years ago to implement the 
Identurs Eleanor messaging system to do two things: (1) help automate 
payments for clinical trial physicians, and (2) much more excitingly I 
think, to manage clinical data reporting messages.  Eleanor was a 
structured messaging system designed for payments but re-usable for other 
applications too, where integrity and auditibility are important. 

This pharma Eleanor project was fairly secretive; I hope it got going, and 
I hope you can dig up some information.  If so please stay in touch with 

> I read that they have a ‘Controlled Substances Ordering System’ which 
> will be handled with PKI. As far as I know the Drug Enforcement 
> Administration will act as the CA.
> *         Are there any other areas of applications where pharmaceutical
> companies are using PKI?
> *         Do you know something about the mortgage industry and the 
> energy industry?

The mortgage industry in Australia (actually, the lands registry offices 
of the state governments) is very active with PKI strategies and designs.  
Nothing has gone live as yet.  For old business cases, see 

And try Googling "electronic conveyancing" in Australia. 

Also, the Land Information New Zealand project (try Googling "LINZ") was a 
successful (?) project for putting geographical data online using PKI.  I 
think the mortgage industry was planning to get involved; they might have 
made progress there. 

One example from the US Power Industry I knew of was CAL-ISO in 
California, which implemented a Spyrus based system to secure real time 
load information that was being reported automatically around the grid.  
Not sure of the fate of this project. 
>  *         Do companies in the United States use PKI for document 
> retention?
> David that would be some of my questions I have.
> Thank you for spending your time.
> Greetings,
> Barbara

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]