[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pki-tc] PKI TC - Deliverables
I think it would be very valuable and educating if a PKI community like the PKI-TC shed some light on how *they* believe some of the most common processes you can think of, like e-procurement, could or should be "cast" in PKI. Since such processes involve multiple individuals as well as at least two organizations, you actually run into most issues of interest such as: authorization, audit, privacy, identity, encryption, signatures etc etc. It is important to note that nobody has done this before so such a task is also likely to face the usual problems pioneers' often do. The listed stuff below to me rather represent "success stories" rather than guidelines. The OCSP question we discussed recently is an example of where an in fact extremely simple question, did not had an obvious answer. BTW, I still wonder if there was something missing from my suggestion. Anders R ----- Original Message ----- From: "Stephen Wilson" <swilson@lockstep.com.au> To: "PKI TC" <pki-tc@lists.oasis-open.org> Sent: Wednesday, November 23, 2005 22:21 Subject: [pki-tc] re:[pki-tc] PKI TC - Deliverables Personally I think that login and e-mail are actually very awkward applications of PKI and do not represent best practice. There are many many other live applications that do represent best practice: - Austria's system for lodging all company registrations online with digital signatures (2.5M Secure Signature Creation Devices in regular use) - USPTO online patent lodgement (a few thousand I think) - Pan Asia Alliance cross border trade documentation (200,000 active certs) - Australian Tax Office business tax returns (100,000) - Australian Health eSignature Authority (soon to expand rapidly into PKI-enabled smartcards for healthcare professionals) - Electronic Conveyancing Victoria (in advanced planning stage) - Taiwanese Playsafe gaming card (10,000 pilot, planned to expand to 5M) - Visa/Mastercard 3D Secure (numbers?) - Open Cable embedded certs in set-top boxes (millions?) - Electronic Certificate of Origin (ECO) projects in Japan, Korea, Sing - US FIPS-201 PIV card (PKI applications yet to be announced as far as I know BUT NIST has stated that PKI is essential to resist Man In The Middle attack, so one presumes that a whole raft of applications will soon be built around the powerful embedded multi-certificate capability of the smartcard). Whether or not these applications have been documented to Anders' satisfaction is another question. A minimalist approach would be to write these up as case studies (and indeed, the Asia PKI Forum has asked the PKI TC to contribute to its Case Book, which has been posted to the Members Website already). A slightly greater effort could be put into abstracting what it is about these applications that make them ammenable to PKI, and then we could write up a guideline or a manual to guide application selection and certificate implementation. Cheers, Stephen. Stephen Wilson Lockstep Consulting Pty Ltd www.lockstep.com.au ABN 59 593 754 482 11 Minnesota Ave Five Dock NSW 2046 Australia P +61 (0)414 488 851 -------------------- About Lockstep Lockstep was established in early 2004 by noted authentication expert Stephen Wilson, to provide independent advice and analysis on cyber security policy, strategy, risk management, and identity management. Lockstep is also developing unique new smartcard solutions to address privacy and identity theft. > Dear List, > > Here is an extract from the current charter > > http://www.oasis-open.org/committees/pki/charter.php > > List of Deliverables > > A very wide range of topics will be addressed by the TC, and it is expected that severalsub-committees will be formed. TC deliverables will include: > > a.. business implementation guideline white papers > b.. technical implementation guideline white papers > c.. best practice and sample implementations > d.. applications white papers forums for networking, information sharing andimplementation of PKI-related projects > e.. solutions showcase > > However, to date, no authoritative party have described in clear and implementable wayshow you could apply PKI to processes outside of e-mail and login. > > If this still is a goal, I would like to know how the PKI-TC is supposed to carry out amission, nobody else have managed to do. > > > Anders Rundgren -- <Put email footer here> --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]