Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop

[Arshad Noor <arshad.noor@strongauth.com>]

No, not an e-mail system, but an end-to-end encryption system, along
with a signing system.

There is a business requirement in some industries - financial & health
care - to encrypt data from the moment it is captured in a form.  While
today's specific requirements can be met with back-end encryption, I
anticipate that those requirements will encompass end-to-end encryption.

If we are going to attempt an effort to define something for the web
browser for signing, then why not address encryption too at the same
time.  The effort is identical for the browser vendor (in terms of
exposing an API that allows web applications to access the key-store)
regardless of whether its signing or encryption.

The capability in the browser is intended to be interactive.

I don't believe we need to address B2B, since that is acheivable today
either through XML Signature & XML Encryption directly (reference
implementation available from Apache at http://xml.apache.org/security/)
or indirectly through OASIS-WSS - which uses XML Signature and XML
Encryption.  A reference implementation of XWSS is also available from
Sun at http://java.sun.com/webservices/downloads/webservicespack.html.
Businesses just need to start using these API's now to secure their
applications.

Arshad Noor
StrongAuth, Inc.


Anders Rundgren wrote:
> You seem to actually acknowledge that you are trying to create an
> e-mail-like system instead of an interactive signature scheme for web?
> 
> As interactive services made Google the biggest star in the IT-world in
> a decade, I think skipping interactivity is a considerably bigger issue
> than skipping XML encryption.
> 
> I think it would be wise to list the applications the AG SC are targeting
> to shed some more light on these issues.  I also think that a B2B use-case
> needs a description, or is B2B out of scope?
> 
> Regarding the ill fate of secure e-mail, I agree, but do not believe that
> this has much to do with limitations in the S/MIME format vs. XML.
> 
> thanx
> Anders
> 
> 
> ----- Original Message -----
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "PKI TC" <pki-tc@lists.oasis-open.org>
> Sent: Thursday, December 15, 2005 20:07
> Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop
> 
> 
> I will review the FAQ; thank you.
> 
> While I would like to say that we're nowhere near making a decision
> about S/MIME vs. XML, I think the market has already made its position
> patently clear: S/MIME definitely works, but has had limited success
> in moving beyond e-mail.  Even when deployed in  the two most popular
> MUA's (Outlook & Thunderbird), it is hardly used by many corporations
> even in e-mail (I can only speak of my own experiences in the US and
> in one fairly large telecom company in a neighboring country of yours).
> 
> On the other hand, XML is a runaway success by any measure.  Given
> the level of investment and interest in technologies built on top of
> XML, and given the W3C and OASIS' own predilection towards XML in its
> standards, it forces us to acknowledge that whatever we (AGSC/PKI-TC)
> come up with, it has to meet the needs of the XML-based community -
> or face the same fate as S/MIME.
> 
> Personally speaking, I believe XML Signature and XML Encryption are
> taking root - slowly, but surely.  It has been fully implemented in
> OpenOffice 2.0 (I can personally vouch that it works) and is the
> basis for Web Services Security (WSS), an OASIS initiative, which in
> turn will be embedded in many products, from what I understand. So,
> we in the PKI-TC cannot afford to ignore these 2 standards.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> Anders Rundgren wrote:
> 
>>I understand.
>>
>>Regarding WASP and private keys, see attached FAQ, third question.
>>
>>The main difference between WASP and the DRAFT (+ other communication)
>>seems to be that the AGSC essentially have decided to do a remake of secure e-mail
>>(but upgrading the crypto stuff by using XML security rather than S/MIME),
>>while WASP is an effort to support interactive transactions on the web.
>>The latter effectively disables the use of message encryption.
>>
>>regards
>>Anders Rundgren
>>RSA Security
>>
>>----- Original Message -----
>>From: "Arshad Noor" <arshad.noor@strongauth.com>
>>To: "PKI TC" <pki-tc@lists.oasis-open.org>
>>Sent: Thursday, December 15, 2005 00:01
>>Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop
>>
>>
>>The contractor's focus is not to develop software, Anders; it is
>>to research what is available in  browsers today from a technical
>>perspective, and to determine what needs to be created to meet the
>>requirements specified (a DRAFT of which I posted on this alias
>>some months ago).
>>
>>Once the gap is identified, then comes the real work for the AG
>>subcommitee - how do we fill that gap?  What kinds of technologies
>>are needed?  What are browser vendors doing already and what are
>>they prepared to do to help support such customer requirements?
>>Is the open-source community working on projects that might address
>>this?  Are commercial browser vendors addressing this?  Once we've
>>reached consensus in the AGSC, then we need the TC to vote and
>>approve our recommendations before anything is promulgated by
>>OASIS as a standard.
>>
>>I believe our goals are similar - the ability to sign/encrypt from
>>browser all the way back to the application.  However, from what I
>>understood of your solution, it did not meet one of the requirements
>>we're focused on: that the web-signing solution had to use a private-
>>key stored in the client application key-store - in this case, the
>>browser.
>>
>>If your solution does use the private key of the client certificate
>>in the browser's key-store for the signing, then it will definitely
>>be evaluated in detail by the contractor along with other potential
>>solutions.
>>
>>I can't speak for the TC's position on this; only as the chair of
>>the AG subcommitee.
>>
>>Arshad Noor
>>StrongAuth, Inc.
>>
>>
>>Anders Rundgren wrote:
>>
>>
>>>Dear Arshad,
>>>
>>>I am curious to know how this project is to be managed.  It seems that
>>>"we" are going to produce "something", but that this will not be following
>>>common OASIS procedures with issues, votings, deliverables etc.
>>>
>>>I do believe that we should have some kind of embryonic specification
>>>before somebody is contracted for dev. work.  I have for example
>>>mentioned the connection between the "view", "data" and the signature
>>>as an important and actually very difficult area.  If we cannot define
>>>this, I doubt that we will be able to follow much else of what the
>>>contractor is doing.  BTW, we are apparently looking for one of the
>>>top ten browser/PKI/security coder/designers in the world!
>>>
>>>Regarding my participation:
>>>I consider the 18-page PPT, the fairly ambitious FAQ, and a runnable
>>>test site as a rather tangible input to this project.  Although you (and
>>>the TC?) do not seem to agree with my clearly stated goals[1] and the
>>>FAQ,  there must be pretty much the same issues in T-PKI.
>>>
>>>regards
>>>Anders Rundgren
>>>
>>>1] Universal, platform- and document-format independent "sign-off" utility
>>>designed for interactive web applications.  With the hope that it should
>>>eventually become a "standard" in web browsers.  I.e. the counterpart
>>>to the S/MIME signature support available in every e-mail client.
>>>
>>>----- Original Message -----
>>>From: "Arshad Noor" <arshad.noor@strongauth.com>
>>>To: "PKI TC" <pki-tc@lists.oasis-open.org>
>>>Sent: Wednesday, December 14, 2005 21:12
>>>Subject: Re: [pki-tc] PKI-TC@PKI Workshop
>>>
>>>
>>>Indeed, the "Transaction-PKI" project is behind schedule.  Some of it
>>>is my fault as I have been busy trying to do those mundane things that
>>>keep body and soul together - earning money from paying customers to
>>>pay bills :-).
>>>
>>>However, some of it als due to the fact that the PKI Steering Commitee
>>>needed clarification of the mission of this project, as well as
>>>affirmations from at least 2 end-user customers on the goals of this
>>>effort.  Those affirmations were sent to the Steering Commitee this
>>>morning (customers also have jobs to do besides volunteering for these
>>>efforts, Anders; I can only express my appreciation for their having
>>>taken the time to review the requirements and comment on it).
>>>
>>>Hopefully, with the information available to the SC, funding will be
>>>approved to hire a contractor who will dedicate his/her time towards
>>>performing the detailed research necessary to move this TPKI project
>>>forward.
>>>
>>>Anders, perhaps you and I should talk offline about how you might be
>>>able to help us move this forward faster, if you have additional
>>>cycles available to you.  Perhaps, some of the work that was charted
>>>out for this contractor could be absorbed by you to speed it up even
>>>more?
>>>
>>>Arshad Noor
>>>StrongAuth, Inc.
>>>
>>>Anders Rundgren wrote:
>>>
>>>
>>>
>>>>It also appears that the "Transaction PKI" project is behind schedule as only very little information has been published in spite
>>>
>>>of
>>>
>>>
>>>
>>>>being talked about for a year or so.  Don't get me wrong, I just want the charter and reality to match, and I have no problems
>>>
>>>with
>>>
>>>
>>>
>>>>a charter revision.  That is, PKI surveys and promotion may indeed be this TC's main purpose.
>>>>
>>>
>>>
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>