Why did secure e-mail fail? [was: [pki-tc] Re: Transaction PKI ... ]

[Stephen Wilson <swilson@lockstep.com.au>]

Anders wrote:

[snip]

> Regarding the ill fate of secure e-mail, I agree, but do not believe that
> this has much to do with limitations in the S/MIME format vs. XML.

The failure of PKI in e-mail is an important case study, and worthy of
attention in its own right.  

I feel strongly that PKI-secured e-mail failed and is likely to continue to
fail because fundamentally e-mail doesn't need individualised encryption
nor signatures.  It is not a 'serious' e-business tool.  Digitally signing
an e-mail is about as important as signing a fax on plain paper.  There is
no structure, very little context, very little 'power' in either a plain
paper fax or an e-mail.  I don't think anybody ever needs to validate the
signature on a plain fax, and the same goes for e-mails. 

In contrast, PKI really sings in formalised, structured, contextually rich
(not "plain paper") applications, especially where special purpose software
is in place, in which business rules and certificate-based authorisation
can be coded or configured.  

It's also important to note I think that e-mail is read by humans, whereas
certificates are read by machines.  The hoary old worked example of
strangers Alice and Bob sending each other e-mails, and taking the time to
read the certificate, locate the CP, and read the CP, in order to decide
whether or not to "trust", is just not good use of PKI. 

Cheers, 


Stephen Wilson
Lockstep Consulting Pty Ltd
www.lockstep.com.au
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046
Australia

P +61 (0)414 488 851

--------------------

About Lockstep 
Lockstep was established in early 2004 by noted authentication expert
Stephen Wilson, to provide independent advice and analysis on cyber
security policy, strategy, risk management, and identity management. 
Lockstep is also developing unique new smartcard solutions to address
privacy and identity theft. 
 

 

> ----- Original Message -----
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "PKI TC" <pki-tc@lists.oasis-open.org>
> Sent: Thursday, December 15, 2005 20:07
> Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop
> 
> 
> I will review the FAQ; thank you.
> 
> While I would like to say that we're nowhere near making a decision
> about S/MIME vs. XML, I think the market has already made its position
> patently clear: S/MIME definitely works, but has had limited success
> in moving beyond e-mail.  Even when deployed in  the two most popular
> MUA's (Outlook & Thunderbird), it is hardly used by many corporations
> even in e-mail (I can only speak of my own experiences in the US and
> in one fairly large telecom company in a neighboring country of yours).
> 
> On the other hand, XML is a runaway success by any measure.  Given
> the level of investment and interest in technologies built on top of
> XML, and given the W3C and OASIS' own predilection towards XML in its
> standards, it forces us to acknowledge that whatever we (AGSC/PKI-TC)
> come up with, it has to meet the needs of the XML-based community -
> or face the same fate as S/MIME.
> 
> Personally speaking, I believe XML Signature and XML Encryption are
> taking root - slowly, but surely.  It has been fully implemented in
> OpenOffice 2.0 (I can personally vouch that it works) and is the
> basis for Web Services Security (WSS), an OASIS initiative, which in
> turn will be embedded in many products, from what I understand. So,
> we in the PKI-TC cannot afford to ignore these 2 standards.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> Anders Rundgren wrote:
> > I understand.
> >
> > Regarding WASP and private keys, see attached FAQ, third question.
> >
> > The main difference between WASP and the DRAFT (+ other communication)
> > seems to be that the AGSC essentially have decided to do a remake of
secure e-mail
> > (but upgrading the crypto stuff by using XML security rather than S/MIME),
> > while WASP is an effort to support interactive transactions on the web.
> > The latter effectively disables the use of message encryption.
> >
> > regards
> > Anders Rundgren
> > RSA Security
> >
> > ----- Original Message -----
> > From: "Arshad Noor" <arshad.noor@strongauth.com>
> > To: "PKI TC" <pki-tc@lists.oasis-open.org>
> > Sent: Thursday, December 15, 2005 00:01
> > Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop
> >
> >
> > The contractor's focus is not to develop software, Anders; it is
> > to research what is available in  browsers today from a technical
> > perspective, and to determine what needs to be created to meet the
> > requirements specified (a DRAFT of which I posted on this alias
> > some months ago).
> >
> > Once the gap is identified, then comes the real work for the AG
> > subcommitee - how do we fill that gap?  What kinds of technologies
> > are needed?  What are browser vendors doing already and what are
> > they prepared to do to help support such customer requirements?
> > Is the open-source community working on projects that might address
> > this?  Are commercial browser vendors addressing this?  Once we've
> > reached consensus in the AGSC, then we need the TC to vote and
> > approve our recommendations before anything is promulgated by
> > OASIS as a standard.
> >
> > I believe our goals are similar - the ability to sign/encrypt from
> > browser all the way back to the application.  However, from what I
> > understood of your solution, it did not meet one of the requirements
> > we're focused on: that the web-signing solution had to use a private-
> > key stored in the client application key-store - in this case, the
> > browser.
> >
> > If your solution does use the private key of the client certificate
> > in the browser's key-store for the signing, then it will definitely
> > be evaluated in detail by the contractor along with other potential
> > solutions.
> >
> > I can't speak for the TC's position on this; only as the chair of
> > the AG subcommitee.
> >
> > Arshad Noor
> > StrongAuth, Inc.
> >
> >
> > Anders Rundgren wrote:
> >
> >>Dear Arshad,
> >>
> >>I am curious to know how this project is to be managed.  It seems that
> >>"we" are going to produce "something", but that this will not be following
> >>common OASIS procedures with issues, votings, deliverables etc.
> >>
> >>I do believe that we should have some kind of embryonic specification
> >>before somebody is contracted for dev. work.  I have for example
> >>mentioned the connection between the "view", "data" and the signature
> >>as an important and actually very difficult area.  If we cannot define
> >>this, I doubt that we will be able to follow much else of what the
> >>contractor is doing.  BTW, we are apparently looking for one of the
> >>top ten browser/PKI/security coder/designers in the world!
> >>
> >>Regarding my participation:
> >>I consider the 18-page PPT, the fairly ambitious FAQ, and a runnable
> >>test site as a rather tangible input to this project.  Although you (and
> >>the TC?) do not seem to agree with my clearly stated goals[1] and the
> >>FAQ,  there must be pretty much the same issues in T-PKI.
> >>
> >>regards
> >>Anders Rundgren
> >>
> >>1] Universal, platform- and document-format independent "sign-off" utility
> >>designed for interactive web applications.  With the hope that it should
> >>eventually become a "standard" in web browsers.  I.e. the counterpart
> >>to the S/MIME signature support available in every e-mail client.
> >>
> >>----- Original Message -----
> >>From: "Arshad Noor" <arshad.noor@strongauth.com>
> >>To: "PKI TC" <pki-tc@lists.oasis-open.org>
> >>Sent: Wednesday, December 14, 2005 21:12
> >>Subject: Re: [pki-tc] PKI-TC@PKI Workshop
> >>
> >>
> >>Indeed, the "Transaction-PKI" project is behind schedule.  Some of it
> >>is my fault as I have been busy trying to do those mundane things that
> >>keep body and soul together - earning money from paying customers to
> >>pay bills :-).
> >>
> >>However, some of it als due to the fact that the PKI Steering Commitee
> >>needed clarification of the mission of this project, as well as
> >>affirmations from at least 2 end-user customers on the goals of this
> >>effort.  Those affirmations were sent to the Steering Commitee this
> >>morning (customers also have jobs to do besides volunteering for these
> >>efforts, Anders; I can only express my appreciation for their having
> >>taken the time to review the requirements and comment on it).
> >>
> >>Hopefully, with the information available to the SC, funding will be
> >>approved to hire a contractor who will dedicate his/her time towards
> >>performing the detailed research necessary to move this TPKI project
> >>forward.
> >>
> >>Anders, perhaps you and I should talk offline about how you might be
> >>able to help us move this forward faster, if you have additional
> >>cycles available to you.  Perhaps, some of the work that was charted
> >>out for this contractor could be absorbed by you to speed it up even
> >>more?
> >>
> >>Arshad Noor
> >>StrongAuth, Inc.
> >>
> >>Anders Rundgren wrote:
> >>
> >>
> >>>It also appears that the "Transaction PKI" project is behind schedule
as only verylittle information has been published in spite
> >>
> >>of
> >>
> >>
> >>>being talked about for a year or so.  Don't get me wrong, I just want
the charter andreality to match, and I have no problems
> >>
> >>with
> >>
> >>
> >>>a charter revision.  That is, PKI surveys and promotion may indeed be
this TC's mainpurpose.
> >>>
> >>
> >>
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> 

--
<Put email footer here>