OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pki-tc] Application SC report - August 2005

<Warning, rant ahead!>


It's one of the big challenges to all standards bodies and not just
limited to PKI.  It seems that standards bodies are a bit like IT O/S
and Application product vendors - everybody creates differentiators that
"add value". The result is, in the case of PKI, a lot of product vendors
who won't incorporate certificate-based services into their product
lines because the standards are, in their words, "immature."  

We're still faced with the dynamic that I encountered in the WEMA PKI
Interoperability Challenge I co-chaired from 1997 through 2001.  Back
then I stated that the PKI market would never breakout of its
niche-status until everyone involved in the market saw fit to
collaborate and implement an open set of standards that limited the
large number of options to a set of proven interoperable configurations
that simplify the development tasks associated with certificate-based
services that don't dictate which PKI vendor wins above all others.  

I always liked the NIST concept of a universal, High-Level Crypto API
that would perform the essential crypto-functions that PKI vendors could
write a glue-layer on one side of the API and product vendors write a
glue layer for the other side.  

It would have been a great win-win situation in my opinion. Product
vendors and systems developers would only have to write one (simpler)
interface instead of guessing which PKI vendors might prevail in the
marketplace (admittedly, there are fewer PKI product vendors today, but
there is still more than one which at least double their development
costs). PKI vendors would likely have a smaller share of a vastly larger
market, thus increasing their overall revenues.

Look at the history of the messaging market.  Once SMTP became the
universal protocol, the market expanded nearly at the speed of light.
Ironically, secure messaging hasn't done so well - but that's more from
the impact of the fragmented PKI market than anything else.

Rant off

Paul (who's stating only personal opinion here) Evans

-----Original Message-----
From: Arshad Noor [mailto:arshad.noor@strongauth.com] 
Sent: Monday, August 15, 2005 1:26 PM
Subject: [pki-tc] Application SC report - August 2005

It appears that the more research I do into the possibility of digitally
signing and encrypting transactions from the browser directly, the more
complex the picture becomes - some technically, but more so from the
number of groups addressing issues around this problem, but not this
problem itself.

I recently became aware of an ad-hoc working group called the Web
Hypertext Application Technology Working Group (WHATWG)
(http://www.whatwg.org/) that is attempting to define standards around
Web Forms 2.0 - a supposedly, better way to write web applications.  It
is being promoted by the Mozilla Foundation and Opera, and they've
submitted (or are in the process of
submitting) their initial draft to the W3C.

I am attempting to determine the details of their specification and to
see if they're addressed forms signing/encryption within their draft,
thus adding one more detour before the real work can be done.

It does seem that PKI is gaining momentum - although in small

   i) OpenOffice has implemented XMLSignature-based digital
      signatures in their free 1.9x implementation of office
      suites.  It actually works;

  ii) Sun has released a JSR-105 (XMLSignature)-compliant
      reference implementation of the open-source Java library
      so that applications can use a standard API to use digital
      signatures (haven't tested it yet);

iii) The Java library compliant to XMLEncryption standards
      (JSR-106) public-review is imminent, according to the
      JSR-106 chairman; they're anticipating standardization
      sometime this year, perhaps;

While enabling technologies are slowly coming to market, the ability for
corporate IT developers to use this technology easily (as well as the
technical documentation to make sense of it all) remains out of reach.
We need to address this.

Arshad Noor
Chairperson, Applications Guidelines SC

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]