[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pki-tc] Why did secure e-mail fail? [was: [pki-tc] Re: Transaction PKI ...
Yes indeed, e-mails can be legally binding. As you said John, they don't even need to be digitally signed for a case to be made (often with elaborate foresnic assistance) as to their legitimacy. I didn't mean to imply they were not legally binding. So perhaps the formal/informal distinction is not defining. The point I was trying to make is that when we want a tool to effect formal e-business, we usually don't use e-mail. Rather, we tend to use more specialised transaction systems. In the near future I expect we will see more web forms built using authentication via XML signatures. One of the things about forms and e-commerce websites and transactions systems that e-mail usually does not have, is context. So, pragmatist that I am, I advocate not spending a lot of time trying to "fix" PKI-secured e-mail. And I think we should not generalise too negatively about PKI in general from the poor e-mail experience. Cheers, Stephen Wilson. > I am sorry but I just don't think the formal/informal distinction works. > In the United States, exchanges of email can and do establish binding > contracts. In one court case, a defendant was convicted of a serious > federal felony on the basis of plaintext, non-digitally signed emails > and some corroborating testimony of a few witnesses. The emails were > the centerpiece of the prosecution. > > John Messing > American Bar Association > Science and Technology Law Division OASIS representative > > > > -------- Original Message -------- > > Subject: [pki-tc] Why did secure e-mail fail? [was: [pki-tc] Re: > > Transaction PKI ... ] > > From: Stephen Wilson <swilson@lockstep.com.au> > > Date: Thu, December 15, 2005 7:05 pm > > To: pki-tc@lists.oasis-open.org > > > > Anders wrote: > > > > [snip] > > > > > Regarding the ill fate of secure e-mail, I agree, but do not believe that > > > this has much to do with limitations in the S/MIME format vs. XML. > > > > The failure of PKI in e-mail is an important case study, and worthy of > > attention in its own right. > > > > I feel strongly that PKI-secured e-mail failed and is likely to continue to > > fail because fundamentally e-mail doesn't need individualised encryption > > nor signatures. It is not a 'serious' e-business tool. Digitally signing > > an e-mail is about as important as signing a fax on plain paper. There is > > no structure, very little context, very little 'power' in either a plain > > paper fax or an e-mail. I don't think anybody ever needs to validate the > > signature on a plain fax, and the same goes for e-mails. > > > > In contrast, PKI really sings in formalised, structured, contextually rich > > (not "plain paper") applications, especially where special purpose software > > is in place, in which business rules and certificate-based authorisation > > can be coded or configured. > > > > It's also important to note I think that e-mail is read by humans, whereas > > certificates are read by machines. The hoary old worked example of > > strangers Alice and Bob sending each other e-mails, and taking the time to > > read the certificate, locate the CP, and read the CP, in order to decide > > whether or not to "trust", is just not good use of PKI. > > > > Cheers, > > > > > > Stephen Wilson > > Lockstep Consulting Pty Ltd > > www.lockstep.com.au > > ABN 59 593 754 482 > > > > 11 Minnesota Ave > > Five Dock NSW 2046 > > Australia > > > > P +61 (0)414 488 851 > > > > -------------------- > > > > About Lockstep > > Lockstep was established in early 2004 by noted authentication expert > > Stephen Wilson, to provide independent advice and analysis on cyber > > security policy, strategy, risk management, and identity management. > > Lockstep is also developing unique new smartcard solutions to address > > privacy and identity theft. > > > > > > > > > > > ----- Original Message ----- > > > From: "Arshad Noor" <arshad.noor@strongauth.com> > > > To: "PKI TC" <pki-tc@lists.oasis-open.org> > > > Sent: Thursday, December 15, 2005 20:07 > > > Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop > > > > > > > > > I will review the FAQ; thank you. > > > > > > While I would like to say that we're nowhere near making a decision > > > about S/MIME vs. XML, I think the market has already made its position > > > patently clear: S/MIME definitely works, but has had limited success > > > in moving beyond e-mail. Even when deployed in the two most popular > > > MUA's (Outlook & Thunderbird), it is hardly used by many corporations > > > even in e-mail (I can only speak of my own experiences in the US and > > > in one fairly large telecom company in a neighboring country of yours). > > > > > > On the other hand, XML is a runaway success by any measure. Given > > > the level of investment and interest in technologies built on top of > > > XML, and given the W3C and OASIS' own predilection towards XML in its > > > standards, it forces us to acknowledge that whatever we (AGSC/PKI-TC) > > > come up with, it has to meet the needs of the XML-based community - > > > or face the same fate as S/MIME. > > > > > > Personally speaking, I believe XML Signature and XML Encryption are > > > taking root - slowly, but surely. It has been fully implemented in > > > OpenOffice 2.0 (I can personally vouch that it works) and is the > > > basis for Web Services Security (WSS), an OASIS initiative, which in > > > turn will be embedded in many products, from what I understand. So, > > > we in the PKI-TC cannot afford to ignore these 2 standards. > > > > > > Arshad Noor > > > StrongAuth, Inc. > > > > > > Anders Rundgren wrote: > > > > I understand. > > > > > > > > Regarding WASP and private keys, see attached FAQ, third question. > > > > > > > > The main difference between WASP and the DRAFT (+ other communication) > > > > seems to be that the AGSC essentially have decided to do a remake of > > secure e-mail > > > > (but upgrading the crypto stuff by using XML security rather than S/MIME), > > > > while WASP is an effort to support interactive transactions on the web. > > > > The latter effectively disables the use of message encryption. > > > > > > > > regards > > > > Anders Rundgren > > > > RSA Security > > > > > > > > ----- Original Message ----- > > > > From: "Arshad Noor" <arshad.noor@strongauth.com> > > > > To: "PKI TC" <pki-tc@lists.oasis-open.org> > > > > Sent: Thursday, December 15, 2005 00:01 > > > > Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop > > > > > > > > > > > > The contractor's focus is not to develop software, Anders; it is > > > > to research what is available in browsers today from a technical > > > > perspective, and to determine what needs to be created to meet the > > > > requirements specified (a DRAFT of which I posted on this alias > > > > some months ago). > > > > > > > > Once the gap is identified, then comes the real work for the AG > > > > subcommitee - how do we fill that gap? What kinds of technologies > > > > are needed? What are browser vendors doing already and what are > > > > they prepared to do to help support such customer requirements? > > > > Is the open-source community working on projects that might address > > > > this? Are commercial browser vendors addressing this? Once we've > > > > reached consensus in the AGSC, then we need the TC to vote and > > > > approve our recommendations before anything is promulgated by > > > > OASIS as a standard. > > > > > > > > I believe our goals are similar - the ability to sign/encrypt from > > > > browser all the way back to the application. However, from what I > > > > understood of your solution, it did not meet one of the requirements > > > > we're focused on: that the web-signing solution had to use a private- > > > > key stored in the client application key-store - in this case, the > > > > browser. > > > > > > > > If your solution does use the private key of the client certificate > > > > in the browser's key-store for the signing, then it will definitely > > > > be evaluated in detail by the contractor along with other potential > > > > solutions. > > > > > > > > I can't speak for the TC's position on this; only as the chair of > > > > the AG subcommitee. > > > > > > > > Arshad Noor > > > > StrongAuth, Inc. > > > > > > > > > > > > Anders Rundgren wrote: > > > > > > > >>Dear Arshad, > > > >> > > > >>I am curious to know how this project is to be managed. It seems that > > > >>"we" are going to produce "something", but that this will not be following > > > >>common OASIS procedures with issues, votings, deliverables etc. > > > >> > > > >>I do believe that we should have some kind of embryonic specification > > > >>before somebody is contracted for dev. work. I have for example > > > >>mentioned the connection between the "view", "data" and the signature > > > >>as an important and actually very difficult area. If we cannot define > > > >>this, I doubt that we will be able to follow much else of what the > > > >>contractor is doing. BTW, we are apparently looking for one of the > > > >>top ten browser/PKI/security coder/designers in the world! > > > >> > > > >>Regarding my participation: > > > >>I consider the 18-page PPT, the fairly ambitious FAQ, and a runnable > > > >>test site as a rather tangible input to this project. Although you (and > > > >>the TC?) do not seem to agree with my clearly stated goals[1] and the > > > >>FAQ, there must be pretty much the same issues in T-PKI. > > > >> > > > >>regards > > > >>Anders Rundgren > > > >> > > > >>1] Universal, platform- and document-format independent "sign-off" utility > > > >>designed for interactive web applications. With the hope that it should > > > >>eventually become a "standard" in web browsers. I.e. the counterpart > > > >>to the S/MIME signature support available in every e-mail client. > > > >> > > > >>----- Original Message ----- > > > >>From: "Arshad Noor" <arshad.noor@strongauth.com> > > > >>To: "PKI TC" <pki-tc@lists.oasis-open.org> > > > >>Sent: Wednesday, December 14, 2005 21:12 > > > >>Subject: Re: [pki-tc] PKI-TC@PKI Workshop > > > >> > > > >> > > > >>Indeed, the "Transaction-PKI" project is behind schedule. Some of it > > > >>is my fault as I have been busy trying to do those mundane things that > > > >>keep body and soul together - earning money from paying customers to > > > >>pay bills :-). > > > >> > > > >>However, some of it als due to the fact that the PKI Steering Commitee > > > >>needed clarification of the mission of this project, as well as > > > >>affirmations from at least 2 end-user customers on the goals of this > > > >>effort. Those affirmations were sent to the Steering Commitee this > > > >>morning (customers also have jobs to do besides volunteering for these > > > >>efforts, Anders; I can only express my appreciation for their having > > > >>taken the time to review the requirements and comment on it). > > > >> > > > >>Hopefully, with the information available to the SC, funding will be > > > >>approved to hire a contractor who will dedicate his/her time towards > > > >>performing the detailed research necessary to move this TPKI project > > > >>forward. > > > >> > > > >>Anders, perhaps you and I should talk offline about how you might be > > > >>able to help us move this forward faster, if you have additional > > > >>cycles available to you. Perhaps, some of the work that was charted > > > >>out for this contractor could be absorbed by you to speed it up even > > > >>more? > > > >> > > > >>Arshad Noor > > > >>StrongAuth, Inc. > > > >> > > > >>Anders Rundgren wrote: > > > >> > > > >> > > > >>>It also appears that the "Transaction PKI" project is behind schedule > > as only verylittle information has been published in spite > > > >> > > > >>of > > > >> > > > >> > > > >>>being talked about for a year or so. Don't get me wrong, I just want > > the charter andreality to match, and I have no problems > > > >> > > > >>with > > > >> > > > >> > > > >>>a charter revision. That is, PKI surveys and promotion may indeed be > > this TC's mainpurpose. > > > >>> > > > >> > > > >> > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe from this mail list, you must leave the OASIS TC that > > > generates this mail. You may a link to this group and all your TCs in OASIS > > > at: > > > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe from this mail list, you must leave the OASIS TC that > > > generates this mail. You may a link to this group and all your TCs in OASIS > > > at: > > > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > > > > -- > > <Put email footer here> > > > > --------------------------------------------------------------------- > > To unsubscribe from this mail list, you must leave the OASIS TC that > > generates this mail. You may a link to this group and all your TCs in OASIS > > at: > > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > -- <Put email footer here>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]