Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop

[Arshad Noor <arshad.noor@strongauth.com>]

The contractor's focus is not to develop software, Anders; it is
to research what is available in  browsers today from a technical
perspective, and to determine what needs to be created to meet the
requirements specified (a DRAFT of which I posted on this alias
some months ago).

Once the gap is identified, then comes the real work for the AG
subcommitee - how do we fill that gap?  What kinds of technologies
are needed?  What are browser vendors doing already and what are
they prepared to do to help support such customer requirements?
Is the open-source community working on projects that might address
this?  Are commercial browser vendors addressing this?  Once we've
reached consensus in the AGSC, then we need the TC to vote and
approve our recommendations before anything is promulgated by
OASIS as a standard.

I believe our goals are similar - the ability to sign/encrypt from
browser all the way back to the application.  However, from what I
understood of your solution, it did not meet one of the requirements
we're focused on: that the web-signing solution had to use a private-
key stored in the client application key-store - in this case, the
browser.

If your solution does use the private key of the client certificate
in the browser's key-store for the signing, then it will definitely
be evaluated in detail by the contractor along with other potential
solutions.

I can't speak for the TC's position on this; only as the chair of
the AG subcommitee.

Arshad Noor
StrongAuth, Inc.


Anders Rundgren wrote:
> Dear Arshad,
> 
> I am curious to know how this project is to be managed.  It seems that
> "we" are going to produce "something", but that this will not be following
> common OASIS procedures with issues, votings, deliverables etc.
> 
> I do believe that we should have some kind of embryonic specification
> before somebody is contracted for dev. work.  I have for example
> mentioned the connection between the "view", "data" and the signature
> as an important and actually very difficult area.  If we cannot define
> this, I doubt that we will be able to follow much else of what the
> contractor is doing.  BTW, we are apparently looking for one of the
> top ten browser/PKI/security coder/designers in the world!
> 
> Regarding my participation:
> I consider the 18-page PPT, the fairly ambitious FAQ, and a runnable
> test site as a rather tangible input to this project.  Although you (and
> the TC?) do not seem to agree with my clearly stated goals[1] and the
> FAQ,  there must be pretty much the same issues in T-PKI.
> 
> regards
> Anders Rundgren
> 
> 1] Universal, platform- and document-format independent "sign-off" utility
> designed for interactive web applications.  With the hope that it should
> eventually become a "standard" in web browsers.  I.e. the counterpart
> to the S/MIME signature support available in every e-mail client.
> 
> ----- Original Message -----
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "PKI TC" <pki-tc@lists.oasis-open.org>
> Sent: Wednesday, December 14, 2005 21:12
> Subject: Re: [pki-tc] PKI-TC@PKI Workshop
> 
> 
> Indeed, the "Transaction-PKI" project is behind schedule.  Some of it
> is my fault as I have been busy trying to do those mundane things that
> keep body and soul together - earning money from paying customers to
> pay bills :-).
> 
> However, some of it als due to the fact that the PKI Steering Commitee
> needed clarification of the mission of this project, as well as
> affirmations from at least 2 end-user customers on the goals of this
> effort.  Those affirmations were sent to the Steering Commitee this
> morning (customers also have jobs to do besides volunteering for these
> efforts, Anders; I can only express my appreciation for their having
> taken the time to review the requirements and comment on it).
> 
> Hopefully, with the information available to the SC, funding will be
> approved to hire a contractor who will dedicate his/her time towards
> performing the detailed research necessary to move this TPKI project
> forward.
> 
> Anders, perhaps you and I should talk offline about how you might be
> able to help us move this forward faster, if you have additional
> cycles available to you.  Perhaps, some of the work that was charted
> out for this contractor could be absorbed by you to speed it up even
> more?
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> Anders Rundgren wrote:
> 
>>It also appears that the "Transaction PKI" project is behind schedule as only very little information has been published in spite
> 
> of
> 
>>being talked about for a year or so.  Don't get me wrong, I just want the charter and reality to match, and I have no problems
> 
> with
> 
>>a charter revision.  That is, PKI surveys and promotion may indeed be this TC's main purpose.
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>