The fall of Gateway PKI Was:[pki-tc] 3 slides for OASIS forum

["Anders Rundgren" <anders.rundgren@telia.com>]

>Anders may be right that gateway PKI is important too, but it is not in the
>same league (with respect to numbers) as embedded client side PKI.

Servers would then be less interesting than End-user computers, as the latter outnumber the former by magnitudes.  In analogy with computers, client and gateway (server) PKI have different missions.

 >The outright need for gateway PKI will likely fall as embedded certificates become seamlessly easy to use.

 

Your term Embedded PKI applies very nicely to EMV since it for normal usage is simply a "card".

 

However, Embedded PKI is no panacea in the enterprise world as you unfortunately have to deal explicitly with handling certificates (particularly for encryption).

There is major difference between creating a global trust infrastructure for a single purpose, end-user activity, by a company like VISA, and establishing something similar in the unregulated enterprise space unless you expect end-users to manage 100-10000 partner trust anchors on their own (one for each organization they deal with).

 

Gateway PKI addresses these issues, and also removes the need for end-users to enforce company security policies because it will be done for them automatically (and transparently).

 

Anders Rundgren

 

Signing Purchase Orders

 

If the user is supposed to be accountable both with respect to his/her organization as well as with respect to the external supplier, something "interesting" happens: The user will have two sign TWICE.  Why is that?  Well, since "cost center" etc. is information that is vital for the internal accounting, but absent (secret actually) from external PO messages, there are indeed two messages[1] to sign for each purchase order.  What does this mean in practice?  It is just one more of a handful of other[2] really hard facts, that essentially says the same thing: E2ES (End-To-End-Security) in an org-to-org context, is essentially useless for all but e-mail.

 

There is nothing that can "bridge" [:-)] this deficit, and if there is, it has been thoroughly hidden.

 

AR

 

1] Here assuming that the PKI world will not be able to "reformat" the e-purchasing world (includes OASIS/UN with ebXML), in order to solve a problem ("GW security is heresy and must be fought at any cost and inconvenience"), the latter is completely unaware of.

 

2]

• Encryption of POs is hard to combine with internal systems' legitimate needs.
• Variant identities (users rather than trading partners) are hard to cope with for automated supplier systems.
• Establishing a large org-to-org trust infrastructure based on employees has so far failed.
• Order numbers are usually assigned by the business system after user submission, breaking user signatures.
• Privacy concerns make employee identities unsuitable for business messages to suppliers or limit usage.
• Employee signed POs may bypass the internal business processes and the external supplier will not notice this.  Existing systems does not have (by E2ES introduced), security hole.

----- Original Message -----
From: "Stephen Wilson" <swilson@lockstep.com.au>
To: "Arshad Noor" <arshad.noor@strongauth.com>
Cc: <pki-tc@lists.oasis-open.org>
Sent: Monday, April 24, 2006 01:04
Subject: [pki-tc] re:[pki-tc] 3 slides for OASIS forum



Thanks for that Arshad.  It's a tough gig doing PKI in three slides!

My only comment would that I think we should elevate embedded PKI in the
future slide, perhaps to top position.  In my view, client side PKI is
likely to become ubiquitous in devices like smartcards and cell phones. 

[My favorite comparison is with magnetic stripe card technology.  That is
so ubiquitous that we blissfully forget about the complexity of
ferromagnetics, and the complex supply chain that delivers card products
via blank plastics, magnetic tapes and bulk ferrite powders.  Chip cards
will supersede all this in coming years, and digital certificates will
become at least as common as cards.]

A missing example on slide 3 may be the EMV smartcard, which has embedded
client side PKI, with over 400 million smart credit/debit cards already
issued. 

Anders may be right that gateway PKI is important too, but it is not in the
same league (with respect to numbers) as embedded client side PKI.  The
outright need for gateway PKI will likely fall as embedded certificates
become seamlessly easy to use. 

Cheers,

Steve.



> All,
>
> As promised in last week's session, here are 3 slides that I've come up
> with as a first-cut of what I intend to present in the 3 minutes that I
> will have in the OASIS forum on May 9th.
>
> Please review and provide comments.  If you believe there should be more
> bullets/sub-bullets, please forward suggesttions to me before April 29.
> Thank you.
>
> Arshad Noor
> StrongAuth, Inc.
>
> P.S. I will use the OASIS format after the content is finalized.
> [attachment][attachment]

--
<Put email footer here>

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php