OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pki-tc] digital signatures for OASIS standards


A few answers follow.  Note that some are the "Reader's Digest"
condensed version...

A) Build or rent - OASIS could build its own but that would be too
expensive and is probably way outside of its core competencies. The most
pragmatic and economical approach is to subscribe a Certificate
Authority (CA) service provider.  There are many CA providers that have
service offerings including VeriSign, Entrust, Equifax, Cybertrust,
Valicert and Thawte.

B) Yes. Cost varies depending on the type of service you're seeking.
Generally cost is based upon volume of certificates to be issued, how
"strong" you need the certificates to be, tools or support applications
you'll need and liability issues.

C) OASIS first needs to determine the strength of certificates needed in
order to establish  identity proofing requirements and processes.
Usually the processes feature a person or group appointed within the
organization that serves as a registrar (the formal name is Registration
Authority or RA).  The RA will perform identity proofing of those
seeking to obtain a certificate (based on procedures required by the CA)
and, if valid, submit a certificate request to the CA.  The CA will
issue a certificate to the applicant.

D) The certificates are linked to a key-pair submitted by the applicant
as part of the registration process. Keys are strings of intermixed
letters and numbers - one key is kept by the applicant (called a private
key) and the other submitted during application, called the public key
(that's the "P" and "K" of PKI if you didn't know).  It's the keys that
do the work. They are used in cryptographic functions to "sign" and/or
encrypt documents.  A certificate holder can "sign" a document or
message with their private key that someone else can later verify by
getting the public key from the CA (usually at no cost to them). A
verified signature provides a level of proof of who signed the document
and additionally  establishes that the document has not changed since it
was "signed".  The level of proof is related to how strong the
certificate is. There are a lot of technical fine points to all of this,
but I won't get into them so I can keep this short.

Signing "official" OASIS standards or publications or voting for
steering committee members are a couple of examples of how OASIS might
use PKI.

E) The certificate (keys) are document-type agnostic, they only need to
be digital. An organization might want to have different kinds of
certificates, though.  There can be different certificates to support
discreet functions; signing, encryption and authentication.  One
certificate can be used for all functions but that may not be advisable
depending on business needs. Also, some applications may need an add-on
program to perform the functions but the CA service providers may offer
those programs as part of the offering you might buy.

F) You asked a pretty good set of questions. You may have others after
you've read the answers.  I'm sure whatever they might be, anyone in the
TC will be able help. The question I always ask of any organization
contemplating the use of PKI is "What do you want to use it for?"  The
answers should be related to a business value that might be improved.
Too often companies just want the technology - those cases seldom have
happy results.

I hope these answers are useful and not too ponderous.  Someone may jump
all over them because they are not technically spot-on or not detailed
enough.  My attempt was to give you a sense of what PKI is about.


-----Original Message-----
From: Mary McRae [mailto:mary.mcrae@oasis-open.org] 
Sent: Monday, January 16, 2006 11:09 AM
To: pki-tc@lists.oasis-open.org
Subject: [pki-tc] digital signatures for OASIS standards

Hi folks,

  About a month or so ago, Arshad suggested that OASIS establish a PKI
and issue chairs digital certificates. Can you enlighten me on what it
would take to implement such a proposal? 

a) how do we obtain a PKI?
b) is there a cost associated?
c) how do we create digital certificates?
d) how are they applied to documents? 
e) would you need a different certificate for each type of document?
(pdf, odf, doc, etc.)?
f) any other questions that I haven't thought of?

Thanks; staff is very interested in this proposal.



Mary P McRae
Manager of TC Administration
email: mary.mcrae@oasis-open.org
web: www.oasis-open.org
phone: 603.232.9090
cell: 603.557.7985
OASIS Symposium: The Meaning of Interoperability, 9-12 May, San
Francisco http://www.oasis-open.org/events/symposium_2006/

-----Original Message-----
From: Arshad Noor [mailto:arshad.noor@strongauth.com]
Sent: Thursday, December 15, 2005 2:39 PM
Subject: [pki-tc] OpenDoc and OASIS PKI

I just realized that as Chair of the Application Guidelines subcommitee,
it becomes my responsibility to encourage movements towards the use of
applications that use PKI effectively.


As such, I believe OASIS should establish a PKI for its use and issue
all Chairs digital certificates for signing official documents within
its archives.  The mechanics can be worked out once the principle is
decided by vote by the TC.

Arshad Noor
StrongAuth, Inc.

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]