OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pki-tc] re:[pki-tc] FW: Digital signatures and PKI in the United States

Title: RE: [pki-tc] re:[pki-tc] FW: Digital signatures and PKI in the United States


The initiative by pharmaceuticals, that Stephen mentions below, has turned into SAFE - see http://www.safe-biopharma.org/

What is SAFE?
SAFE is a network of recognized trusted healthcare professionals and an identity management standard and associated operating rules that deliver unique identity keys for regulatory compliant and legally enforceable digital signatures.

SAFE is designed for the purpose of simplifying, securing, and streamlining business-to-business and business-to-regulator information exchange. The SAFE standard consists of policies, procedures, guidelines, technical specifications and a legal and liability risk management framework for ensuring the validity of the electronic signatures used for information exchange and electronic submissions to regulators.

Helen Mullenger
UniCERT Product Management
Office: +44 (0)208 831 2901
Mobile: +44 (0)789 994 5411
-----Original Message-----
From: Stephen Wilson [mailto:swilson@lockstep.com.au]
Sent: 26 July 2005 19:39
To: barbara.weindl@rl-ag.com
Subject: [pki-tc] re:[pki-tc] FW: Digital signatures and PKI in the United States

Dear Barbara

I have some ideas for your research; see below.  I can speak with
experience from the Asia Pacific area mainly, if that helps.


Stephen Wilson
Lockstep Consulting Pty Ltd

11 Minnesota Ave
Five Dock NSW 2046

P +61 (0)414 488 851


About Lockstep
Lockstep was established in early 2004 by noted authentication expert
Stephen Wilson, to provide independent advice and analysis on cyber
security policy, strategy, risk management, and identity management. 
Lockstep is also developing unique new smartcard solutions to address
privacy and identity theft.

> All,
> If any of you have a moment to help out a German student working on a
> thesis, she has some questions below.  She got a failure trying to email
> directly to the list (which was my suggestion), so if you respond, you
> might want to email her directly.

> =david
> From: Barbara Weindl [mailto:barbara.weindl@rl-ag.com]
> Sent: Tuesday, July 26, 2005 10:03 AM
> To: Skyberg, David
> Subject: AW: Digital signatures and PKI in the United States

> Hi David,

> Thank you for your response.

> I will contact the PKI TC as well. Thank you in advance.

> Below there would be some questions for you:

> *         For which processes do companies use digital signatures?

The trend in Asia Pacific is to implement digital signatures for
transactions which are:

- reasonably high in volume
- routine and structured (like forms)
- conducted between parties which have special credentials (like
  professionals, licensed brokers, govt officials etc)
- long lived (so the credentials have to be verifiable over long
  periods of time)
- relied upon my multiple parties (unlike Internet banking where there
  is just one RP, the bank).

> *         Do companies in the automotive industry are using digital
> signatures for example between suppliers and OEM's? (for example for
> invoices?)

There is an automtive supply chain project in Australia called AANX which
uses PKI operated by a company in Melbourned called KeyTrust.
> *         Do they have one certification authority for the whole
> automotive industry?

For AANX I believe there is a single CA.

> (I wrote an e-mail to General Motors and I got the answer that they do
> not use digital signatures "because they can be easily duplicated"!)

They must think you were referring to digitized signatures (images). It's
sad that they are so confused. 

> *         Do you know if the pharmaceutical industry is using PKI?

As a whole, I am not sure.  But Johnson & Johnson have a huge enterprise
wide PKI deployed with USB Keys.  J&J Security Director Richard Guida has
made many presentations on this and his slides are easily found using

I understood that a pharma had plans some two years ago to implement the
Identurs Eleanor messaging system to do two things: (1) help automate
payments for clinical trial physicians, and (2) much more excitingly I
think, to manage clinical data reporting messages.  Eleanor was a
structured messaging system designed for payments but re-usable for other
applications too, where integrity and auditibility are important.

This pharma Eleanor project was fairly secretive; I hope it got going, and
I hope you can dig up some information.  If so please stay in touch with

> I read that they have a 'Controlled Substances Ordering System' which
> will be handled with PKI. As far as I know the Drug Enforcement
> Administration will act as the CA.
> *         Are there any other areas of applications where pharmaceutical
> companies are using PKI?

> *         Do you know something about the mortgage industry and the
> energy industry?

The mortgage industry in Australia (actually, the lands registry offices
of the state governments) is very active with PKI strategies and designs. 
Nothing has gone live as yet.  For old business cases, see

And try Googling "electronic conveyancing" in Australia.

Also, the Land Information New Zealand project (try Googling "LINZ") was a
successful (?) project for putting geographical data online using PKI.  I
think the mortgage industry was planning to get involved; they might have
made progress there.

One example from the US Power Industry I knew of was CAL-ISO in
California, which implemented a Spyrus based system to secure real time
load information that was being reported automatically around the grid. 
Not sure of the fate of this project.
>  *         Do companies in the United States use PKI for document
> retention?

> David that would be some of my questions I have.
> Thank you for spending your time.
> Greetings,

> Barbara

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]