Raising a Web Sign std. in the PKI-TC

["Anders Rundgren" <anders.rundgren@telia.com>]

Dear List.

 

A few months ago I asked the PKI-TC chairs if they were interested in the development of Web Sign standards.  They indicated that they were interested in this.

 

For those who are not familiar with Web Signing, my definition is simply: A user with a web browser that signs a form (transaction) when connected to an on-line service of some kind.  Although little used in the US, these schemes have become very popular in the EU due to the fact that secure e-mail has proved to be close to useless with respect to encryption[*], as well as being static and non-interactive (did I hear "boring"?).

 

The question for me is in which way the PKI-TC could contribute to such developments.  There are BTW two radically different proposals.

 

Anders Rundgren's: A "compilation" of a number of schemes already in use by millions of people

 

Arshad Noor's: An effort to bring XML security and end-to-end security to web, similar to S/MIME, but considerably more ambitious

 

Anyway, before going further on this road, I would like to take the opportunity to describe what I feel could work.  I do not regard the PKI-TC as a design TC, but rather a lobbyist type of community.  Due to that, it seems that the most constructive thing the PKI-TC could do, is to use its influence on various players in this space.

 

If we OTOH believe that the PKI-TC has a design capacity as well, I strongly recommend creating a separate group and list for this purpose. To create a design group (requirement spec. to begin with maybe?) though requires that there are some designers out there who are willing to take on such a task. 

 

Comments?

 

thanx

Anders Rundgren

 

*] "how do I send an encrypted message to the tax department" is a simple question that does not seem to have a reasonable answer in existing government PKIs.  Using the Web and HTTPS, mutual encryption comes at no cost.