Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop

[Arshad Noor <arshad.noor@strongauth.com>]

I will review the FAQ; thank you.

While I would like to say that we're nowhere near making a decision
about S/MIME vs. XML, I think the market has already made its position
patently clear: S/MIME definitely works, but has had limited success
in moving beyond e-mail.  Even when deployed in  the two most popular
MUA's (Outlook & Thunderbird), it is hardly used by many corporations
even in e-mail (I can only speak of my own experiences in the US and
in one fairly large telecom company in a neighboring country of yours).

On the other hand, XML is a runaway success by any measure.  Given
the level of investment and interest in technologies built on top of
XML, and given the W3C and OASIS' own predilection towards XML in its
standards, it forces us to acknowledge that whatever we (AGSC/PKI-TC)
come up with, it has to meet the needs of the XML-based community -
or face the same fate as S/MIME.

Personally speaking, I believe XML Signature and XML Encryption are
taking root - slowly, but surely.  It has been fully implemented in
OpenOffice 2.0 (I can personally vouch that it works) and is the
basis for Web Services Security (WSS), an OASIS initiative, which in
turn will be embedded in many products, from what I understand. So,
we in the PKI-TC cannot afford to ignore these 2 standards.

Arshad Noor
StrongAuth, Inc.

Anders Rundgren wrote:
> I understand.
> 
> Regarding WASP and private keys, see attached FAQ, third question.
> 
> The main difference between WASP and the DRAFT (+ other communication)
> seems to be that the AGSC essentially have decided to do a remake of secure e-mail
> (but upgrading the crypto stuff by using XML security rather than S/MIME),
> while WASP is an effort to support interactive transactions on the web.
> The latter effectively disables the use of message encryption.
> 
> regards
> Anders Rundgren
> RSA Security
> 
> ----- Original Message ----- 
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "PKI TC" <pki-tc@lists.oasis-open.org>
> Sent: Thursday, December 15, 2005 00:01
> Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop
> 
> 
> The contractor's focus is not to develop software, Anders; it is
> to research what is available in  browsers today from a technical
> perspective, and to determine what needs to be created to meet the
> requirements specified (a DRAFT of which I posted on this alias
> some months ago).
> 
> Once the gap is identified, then comes the real work for the AG
> subcommitee - how do we fill that gap?  What kinds of technologies
> are needed?  What are browser vendors doing already and what are
> they prepared to do to help support such customer requirements?
> Is the open-source community working on projects that might address
> this?  Are commercial browser vendors addressing this?  Once we've
> reached consensus in the AGSC, then we need the TC to vote and
> approve our recommendations before anything is promulgated by
> OASIS as a standard.
> 
> I believe our goals are similar - the ability to sign/encrypt from
> browser all the way back to the application.  However, from what I
> understood of your solution, it did not meet one of the requirements
> we're focused on: that the web-signing solution had to use a private-
> key stored in the client application key-store - in this case, the
> browser.
> 
> If your solution does use the private key of the client certificate
> in the browser's key-store for the signing, then it will definitely
> be evaluated in detail by the contractor along with other potential
> solutions.
> 
> I can't speak for the TC's position on this; only as the chair of
> the AG subcommitee.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> 
> Anders Rundgren wrote:
> 
>>Dear Arshad,
>>
>>I am curious to know how this project is to be managed.  It seems that
>>"we" are going to produce "something", but that this will not be following
>>common OASIS procedures with issues, votings, deliverables etc.
>>
>>I do believe that we should have some kind of embryonic specification
>>before somebody is contracted for dev. work.  I have for example
>>mentioned the connection between the "view", "data" and the signature
>>as an important and actually very difficult area.  If we cannot define
>>this, I doubt that we will be able to follow much else of what the
>>contractor is doing.  BTW, we are apparently looking for one of the
>>top ten browser/PKI/security coder/designers in the world!
>>
>>Regarding my participation:
>>I consider the 18-page PPT, the fairly ambitious FAQ, and a runnable
>>test site as a rather tangible input to this project.  Although you (and
>>the TC?) do not seem to agree with my clearly stated goals[1] and the
>>FAQ,  there must be pretty much the same issues in T-PKI.
>>
>>regards
>>Anders Rundgren
>>
>>1] Universal, platform- and document-format independent "sign-off" utility
>>designed for interactive web applications.  With the hope that it should
>>eventually become a "standard" in web browsers.  I.e. the counterpart
>>to the S/MIME signature support available in every e-mail client.
>>
>>----- Original Message -----
>>From: "Arshad Noor" <arshad.noor@strongauth.com>
>>To: "PKI TC" <pki-tc@lists.oasis-open.org>
>>Sent: Wednesday, December 14, 2005 21:12
>>Subject: Re: [pki-tc] PKI-TC@PKI Workshop
>>
>>
>>Indeed, the "Transaction-PKI" project is behind schedule.  Some of it
>>is my fault as I have been busy trying to do those mundane things that
>>keep body and soul together - earning money from paying customers to
>>pay bills :-).
>>
>>However, some of it als due to the fact that the PKI Steering Commitee
>>needed clarification of the mission of this project, as well as
>>affirmations from at least 2 end-user customers on the goals of this
>>effort.  Those affirmations were sent to the Steering Commitee this
>>morning (customers also have jobs to do besides volunteering for these
>>efforts, Anders; I can only express my appreciation for their having
>>taken the time to review the requirements and comment on it).
>>
>>Hopefully, with the information available to the SC, funding will be
>>approved to hire a contractor who will dedicate his/her time towards
>>performing the detailed research necessary to move this TPKI project
>>forward.
>>
>>Anders, perhaps you and I should talk offline about how you might be
>>able to help us move this forward faster, if you have additional
>>cycles available to you.  Perhaps, some of the work that was charted
>>out for this contractor could be absorbed by you to speed it up even
>>more?
>>
>>Arshad Noor
>>StrongAuth, Inc.
>>
>>Anders Rundgren wrote:
>>
>>
>>>It also appears that the "Transaction PKI" project is behind schedule as only very little information has been published in spite
>>
>>of
>>
>>
>>>being talked about for a year or so.  Don't get me wrong, I just want the charter and reality to match, and I have no problems
>>
>>with
>>
>>
>>>a charter revision.  That is, PKI surveys and promotion may indeed be this TC's main purpose.
>>>
>>
>>
>