OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pki-tc] Why did secure e-mail fail? [was: [pki-tc] Re: Transaction PKI ...


Yes indeed, e-mails can be legally binding.  As you said John, they don't
even need to be digitally signed for a case to be made (often with
elaborate foresnic assistance) as to their legitimacy.  I didn't mean to
imply they were not legally binding.  So perhaps the formal/informal
distinction is not defining.  

The point I was trying to make is that when we want a tool to effect formal
e-business, we usually don't use e-mail.  Rather, we tend to use more
specialised transaction systems.  In the near future I expect we will see
more web forms built using authentication via XML signatures.  One of the
things about forms and e-commerce websites and transactions systems that
e-mail usually does not have, is context. 

So, pragmatist that I am, I advocate not spending a lot of time trying to
"fix" PKI-secured e-mail.  And I think we should not generalise too
negatively about PKI in general from the poor e-mail experience. 

Cheers, 

Stephen Wilson.



> I am sorry but I just don't think the formal/informal distinction works.
> In the United States, exchanges of email can and do establish binding
> contracts. In one court case, a defendant was convicted of a serious
> federal felony on the basis of plaintext, non-digitally signed emails
> and some corroborating testimony of a few witnesses. The emails were
> the centerpiece of the prosecution.
> 
> John Messing
> American Bar Association 
> Science and Technology Law Division OASIS representative
> 
> 
> > -------- Original Message --------
> > Subject: [pki-tc] Why did secure e-mail fail? [was: [pki-tc] Re:
> > Transaction PKI ... ]
> > From: Stephen Wilson <swilson@lockstep.com.au>
> > Date: Thu, December 15, 2005 7:05 pm
> > To: pki-tc@lists.oasis-open.org
> > 
> > Anders wrote:
> > 
> > [snip]
> > 
> > > Regarding the ill fate of secure e-mail, I agree, but do not believe that
> > > this has much to do with limitations in the S/MIME format vs. XML.
> > 
> > The failure of PKI in e-mail is an important case study, and worthy of
> > attention in its own right.  
> > 
> > I feel strongly that PKI-secured e-mail failed and is likely to continue to
> > fail because fundamentally e-mail doesn't need individualised encryption
> > nor signatures.  It is not a 'serious' e-business tool.  Digitally signing
> > an e-mail is about as important as signing a fax on plain paper.  There is
> > no structure, very little context, very little 'power' in either a plain
> > paper fax or an e-mail.  I don't think anybody ever needs to validate the
> > signature on a plain fax, and the same goes for e-mails. 
> > 
> > In contrast, PKI really sings in formalised, structured, contextually rich
> > (not "plain paper") applications, especially where special purpose software
> > is in place, in which business rules and certificate-based authorisation
> > can be coded or configured.  
> > 
> > It's also important to note I think that e-mail is read by humans, whereas
> > certificates are read by machines.  The hoary old worked example of
> > strangers Alice and Bob sending each other e-mails, and taking the time to
> > read the certificate, locate the CP, and read the CP, in order to decide
> > whether or not to "trust", is just not good use of PKI. 
> > 
> > Cheers, 
> > 
> > 
> > Stephen Wilson
> > Lockstep Consulting Pty Ltd
> > www.lockstep.com.au
> > ABN 59 593 754 482
> > 
> > 11 Minnesota Ave
> > Five Dock NSW 2046
> > Australia
> > 
> > P +61 (0)414 488 851
> > 
> > --------------------
> > 
> > About Lockstep 
> > Lockstep was established in early 2004 by noted authentication expert
> > Stephen Wilson, to provide independent advice and analysis on cyber
> > security policy, strategy, risk management, and identity management. 
> > Lockstep is also developing unique new smartcard solutions to address
> > privacy and identity theft. 
> >  
> > 
> >  
> > 
> > > ----- Original Message -----
> > > From: "Arshad Noor" <arshad.noor@strongauth.com>
> > > To: "PKI TC" <pki-tc@lists.oasis-open.org>
> > > Sent: Thursday, December 15, 2005 20:07
> > > Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop
> > > 
> > > 
> > > I will review the FAQ; thank you.
> > > 
> > > While I would like to say that we're nowhere near making a decision
> > > about S/MIME vs. XML, I think the market has already made its position
> > > patently clear: S/MIME definitely works, but has had limited success
> > > in moving beyond e-mail.  Even when deployed in  the two most popular
> > > MUA's (Outlook & Thunderbird), it is hardly used by many corporations
> > > even in e-mail (I can only speak of my own experiences in the US and
> > > in one fairly large telecom company in a neighboring country of yours).
> > > 
> > > On the other hand, XML is a runaway success by any measure.  Given
> > > the level of investment and interest in technologies built on top of
> > > XML, and given the W3C and OASIS' own predilection towards XML in its
> > > standards, it forces us to acknowledge that whatever we (AGSC/PKI-TC)
> > > come up with, it has to meet the needs of the XML-based community -
> > > or face the same fate as S/MIME.
> > > 
> > > Personally speaking, I believe XML Signature and XML Encryption are
> > > taking root - slowly, but surely.  It has been fully implemented in
> > > OpenOffice 2.0 (I can personally vouch that it works) and is the
> > > basis for Web Services Security (WSS), an OASIS initiative, which in
> > > turn will be embedded in many products, from what I understand. So,
> > > we in the PKI-TC cannot afford to ignore these 2 standards.
> > > 
> > > Arshad Noor
> > > StrongAuth, Inc.
> > > 
> > > Anders Rundgren wrote:
> > > > I understand.
> > > >
> > > > Regarding WASP and private keys, see attached FAQ, third question.
> > > >
> > > > The main difference between WASP and the DRAFT (+ other communication)
> > > > seems to be that the AGSC essentially have decided to do a remake of
> > secure e-mail
> > > > (but upgrading the crypto stuff by using XML security rather than
S/MIME),
> > > > while WASP is an effort to support interactive transactions on the web.
> > > > The latter effectively disables the use of message encryption.
> > > >
> > > > regards
> > > > Anders Rundgren
> > > > RSA Security
> > > >
> > > > ----- Original Message -----
> > > > From: "Arshad Noor" <arshad.noor@strongauth.com>
> > > > To: "PKI TC" <pki-tc@lists.oasis-open.org>
> > > > Sent: Thursday, December 15, 2005 00:01
> > > > Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop
> > > >
> > > >
> > > > The contractor's focus is not to develop software, Anders; it is
> > > > to research what is available in  browsers today from a technical
> > > > perspective, and to determine what needs to be created to meet the
> > > > requirements specified (a DRAFT of which I posted on this alias
> > > > some months ago).
> > > >
> > > > Once the gap is identified, then comes the real work for the AG
> > > > subcommitee - how do we fill that gap?  What kinds of technologies
> > > > are needed?  What are browser vendors doing already and what are
> > > > they prepared to do to help support such customer requirements?
> > > > Is the open-source community working on projects that might address
> > > > this?  Are commercial browser vendors addressing this?  Once we've
> > > > reached consensus in the AGSC, then we need the TC to vote and
> > > > approve our recommendations before anything is promulgated by
> > > > OASIS as a standard.
> > > >
> > > > I believe our goals are similar - the ability to sign/encrypt from
> > > > browser all the way back to the application.  However, from what I
> > > > understood of your solution, it did not meet one of the requirements
> > > > we're focused on: that the web-signing solution had to use a private-
> > > > key stored in the client application key-store - in this case, the
> > > > browser.
> > > >
> > > > If your solution does use the private key of the client certificate
> > > > in the browser's key-store for the signing, then it will definitely
> > > > be evaluated in detail by the contractor along with other potential
> > > > solutions.
> > > >
> > > > I can't speak for the TC's position on this; only as the chair of
> > > > the AG subcommitee.
> > > >
> > > > Arshad Noor
> > > > StrongAuth, Inc.
> > > >
> > > >
> > > > Anders Rundgren wrote:
> > > >
> > > >>Dear Arshad,
> > > >>
> > > >>I am curious to know how this project is to be managed.  It seems that
> > > >>"we" are going to produce "something", but that this will not be
following
> > > >>common OASIS procedures with issues, votings, deliverables etc.
> > > >>
> > > >>I do believe that we should have some kind of embryonic specification
> > > >>before somebody is contracted for dev. work.  I have for example
> > > >>mentioned the connection between the "view", "data" and the signature
> > > >>as an important and actually very difficult area.  If we cannot define
> > > >>this, I doubt that we will be able to follow much else of what the
> > > >>contractor is doing.  BTW, we are apparently looking for one of the
> > > >>top ten browser/PKI/security coder/designers in the world!
> > > >>
> > > >>Regarding my participation:
> > > >>I consider the 18-page PPT, the fairly ambitious FAQ, and a runnable
> > > >>test site as a rather tangible input to this project.  Although you
(and
> > > >>the TC?) do not seem to agree with my clearly stated goals[1] and the
> > > >>FAQ,  there must be pretty much the same issues in T-PKI.
> > > >>
> > > >>regards
> > > >>Anders Rundgren
> > > >>
> > > >>1] Universal, platform- and document-format independent "sign-off"
utility
> > > >>designed for interactive web applications.  With the hope that it
should
> > > >>eventually become a "standard" in web browsers.  I.e. the counterpart
> > > >>to the S/MIME signature support available in every e-mail client.
> > > >>
> > > >>----- Original Message -----
> > > >>From: "Arshad Noor" <arshad.noor@strongauth.com>
> > > >>To: "PKI TC" <pki-tc@lists.oasis-open.org>
> > > >>Sent: Wednesday, December 14, 2005 21:12
> > > >>Subject: Re: [pki-tc] PKI-TC@PKI Workshop
> > > >>
> > > >>
> > > >>Indeed, the "Transaction-PKI" project is behind schedule.  Some of it
> > > >>is my fault as I have been busy trying to do those mundane things that
> > > >>keep body and soul together - earning money from paying customers to
> > > >>pay bills :-).
> > > >>
> > > >>However, some of it als due to the fact that the PKI Steering Commitee
> > > >>needed clarification of the mission of this project, as well as
> > > >>affirmations from at least 2 end-user customers on the goals of this
> > > >>effort.  Those affirmations were sent to the Steering Commitee this
> > > >>morning (customers also have jobs to do besides volunteering for these
> > > >>efforts, Anders; I can only express my appreciation for their having
> > > >>taken the time to review the requirements and comment on it).
> > > >>
> > > >>Hopefully, with the information available to the SC, funding will be
> > > >>approved to hire a contractor who will dedicate his/her time towards
> > > >>performing the detailed research necessary to move this TPKI project
> > > >>forward.
> > > >>
> > > >>Anders, perhaps you and I should talk offline about how you might be
> > > >>able to help us move this forward faster, if you have additional
> > > >>cycles available to you.  Perhaps, some of the work that was charted
> > > >>out for this contractor could be absorbed by you to speed it up even
> > > >>more?
> > > >>
> > > >>Arshad Noor
> > > >>StrongAuth, Inc.
> > > >>
> > > >>Anders Rundgren wrote:
> > > >>
> > > >>
> > > >>>It also appears that the "Transaction PKI" project is behind schedule
> > as only verylittle information has been published in spite
> > > >>
> > > >>of
> > > >>
> > > >>
> > > >>>being talked about for a year or so.  Don't get me wrong, I just want
> > the charter andreality to match, and I have no problems
> > > >>
> > > >>with
> > > >>
> > > >>
> > > >>>a charter revision.  That is, PKI surveys and promotion may indeed be
> > this TC's mainpurpose.
> > > >>>
> > > >>
> > > >>
> > > >
> > > 
> > > ---------------------------------------------------------------------
> > > To unsubscribe from this mail list, you must leave the OASIS TC that
> > > generates this mail.  You may a link to this group and all your TCs
in OASIS
> > > at:
> > > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> > > 
> > > 
> > > ---------------------------------------------------------------------
> > > To unsubscribe from this mail list, you must leave the OASIS TC that
> > > generates this mail.  You may a link to this group and all your TCs
in OASIS
> > > at:
> > > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> > > 
> > 
> > --
> > <Put email footer here>
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  You may a link to this group and all your TCs in
OASIS
> > at:
> > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 

--
<Put email footer here>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]