Re: [pki-tc] PKI TC - Deliverables

["Anders Rundgren" <anders.rundgren@telia.com>]

I think it would be very valuable and educating if a PKI community like the PKI-TC shed
some light on how *they* believe some of the most common processes you can think of,
like e-procurement, could or should be "cast" in PKI.

Since such processes involve multiple individuals as well as at least two organizations,
you actually run into most issues of interest such as:  authorization, audit, privacy,
identity, encryption, signatures etc etc.

It is important to note that nobody has done this before so such a task is also likely
to face the usual problems pioneers' often do.

The listed stuff below to me rather represent "success stories" rather than guidelines.
The OCSP question we discussed recently is an example of where an in fact extremely
simple question, did not had an obvious answer.  BTW, I still wonder if there was
something missing from my suggestion.

Anders R

----- Original Message ----- 
From: "Stephen Wilson" <swilson@lockstep.com.au>
To: "PKI TC" <pki-tc@lists.oasis-open.org>
Sent: Wednesday, November 23, 2005 22:21
Subject: [pki-tc] re:[pki-tc] PKI TC - Deliverables



Personally I think that login and e-mail are actually very awkward
applications of PKI and do not represent best practice.  

There are many many other live applications that do represent best practice: 

- Austria's system for lodging all company registrations online with
digital signatures (2.5M Secure Signature Creation Devices in regular use) 
- USPTO online patent lodgement (a few thousand I think) 
- Pan Asia Alliance cross border trade documentation (200,000 active certs) 
- Australian Tax Office business tax returns (100,000) 
- Australian Health eSignature Authority (soon to expand rapidly into
PKI-enabled smartcards for healthcare professionals) 
- Electronic Conveyancing Victoria (in advanced planning stage)
- Taiwanese Playsafe gaming card (10,000 pilot, planned to expand to 5M) 
- Visa/Mastercard 3D Secure (numbers?) 
- Open Cable embedded certs in set-top boxes (millions?) 
- Electronic Certificate of Origin (ECO) projects in Japan, Korea, Sing 
- US FIPS-201 PIV card (PKI applications yet to be announced as far as I
know BUT NIST has stated that PKI is essential to resist Man In The Middle
attack, so one presumes that a whole raft of applications will soon be
built around the powerful embedded multi-certificate capability of the
smartcard). 


Whether or not these applications have been documented to Anders'
satisfaction is another question.  

A minimalist approach would be to write these up as case studies (and
indeed, the Asia PKI Forum has asked the PKI TC to contribute to its Case
Book, which has been posted to the Members Website already). 

A slightly greater effort could be put into abstracting what it is about
these applications that make them ammenable to PKI, and then we could write
up a guideline or a manual to guide application selection and certificate
implementation. 

Cheers, 

Stephen. 



Stephen Wilson
Lockstep Consulting Pty Ltd
www.lockstep.com.au
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046
Australia

P +61 (0)414 488 851

--------------------

About Lockstep 
Lockstep was established in early 2004 by noted authentication expert
Stephen Wilson, to provide independent advice and analysis on cyber
security policy, strategy, risk management, and identity management. 
Lockstep is also developing unique new smartcard solutions to address
privacy and identity theft. 
 


> Dear List,
> 
> Here is an extract from the current charter
> 
> http://www.oasis-open.org/committees/pki/charter.php
> 
> List of Deliverables
> 
> A very wide range of topics will be addressed by the TC, and it is
expected that severalsub-committees will be formed. TC deliverables will
include:
> 
>   a.. business implementation guideline white papers 
>   b.. technical implementation guideline white papers 
>   c.. best practice and sample implementations 
>   d.. applications white papers forums for networking, information
sharing andimplementation of PKI-related projects 
>   e.. solutions showcase
> 
> However, to date, no authoritative party have described in clear and
implementable wayshow you could apply PKI to processes outside of e-mail
and login.
> 
> If this still is a goal, I would like to know how the PKI-TC is supposed
to carry out amission, nobody else have managed to do.
> 
> 
> Anders Rundgren

--
<Put email footer here>

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php