pki-tc message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: The fall of Gateway PKI Was:[pki-tc] 3 slides for OASIS forum
- From: "Anders Rundgren" <anders.rundgren@telia.com>
- To: "Stephen Wilson" <swilson@lockstep.com.au>
- Date: Mon, 24 Apr 2006 21:53:21 +0200
>Anders may be right that
gateway PKI is important too, but it is not in the
>same league (with
respect to numbers) as embedded client side PKI.
Servers would
then be less interesting than End-user computers, as the latter outnumber the
former by magnitudes. In analogy with computers, client and gateway
(server) PKI have different missions.
>The outright need for gateway PKI
will likely fall as embedded certificates become seamlessly easy to
use.
Your term Embedded PKI applies very nicely to EMV
since it for normal usage is simply a "card".
However, Embedded PKI is no panacea in the
enterprise world as you unfortunately have to deal explicitly with handling
certificates (particularly for encryption).
There is major difference between creating a global trust
infrastructure for a single purpose, end-user activity, by a company like VISA,
and establishing something similar in the unregulated enterprise space
unless you expect end-users to manage 100-10000 partner trust anchors on
their own (one for each organization they deal with).
Gateway PKI addresses these issues, and also removes the need for end-users
to enforce company security policies because it will be done for them
automatically (and transparently).
Anders Rundgren
Signing Purchase Orders
If the user is supposed to be accountable both with
respect to his/her organization as well as with respect to the external
supplier, something "interesting" happens: The user will have two sign
TWICE. Why is that? Well, since "cost center" etc. is information
that is vital for the internal accounting, but absent (secret actually) from
external PO messages, there are indeed two messages[1] to sign for each purchase
order. What does this mean in practice? It is just one more of a
handful of other[2] really hard facts, that essentially says the same
thing: E2ES (End-To-End-Security) in an org-to-org context, is essentially
useless for all but e-mail.
There is nothing that can "bridge" [:-)] this deficit,
and if there is, it has been thoroughly hidden.
AR
1] Here assuming that the PKI world will not be able to
"reformat" the e-purchasing world (includes OASIS/UN with ebXML), in
order to solve a problem ("GW security is heresy and must be fought at any
cost and inconvenience"), the latter is completely unaware
of.
2]
-
Encryption of POs is hard to combine with internal
systems' legitimate needs.
-
Variant identities (users rather than trading
partners) are hard to cope with for automated supplier
systems.
-
Establishing a large org-to-org trust infrastructure
based on employees has so far failed.
-
Order numbers are usually assigned by the business
system after user submission, breaking
user signatures.
-
Privacy concerns make employee identities unsuitable
for business messages to suppliers or limit usage.
-
Employee signed POs may bypass the internal business
processes and the external supplier will not notice this. Existing
systems does not have (by E2ES introduced), security
hole.
----- Original Message -----
From: "Stephen Wilson" <
swilson@lockstep.com.au>
To:
"Arshad Noor" <arshad.noor@strongauth.com>
Cc: <pki-tc@lists.oasis-open.org>
Sent: Monday, April 24, 2006 01:04
Subject: [pki-tc]
re:[pki-tc] 3 slides for OASIS forum
Thanks for that
Arshad. It's a tough gig doing PKI in three slides!
My only
comment would that I think we should elevate embedded PKI in the
future
slide, perhaps to top position. In my view, client side PKI is
likely
to become ubiquitous in devices like smartcards and cell phones.
[My favorite comparison is with magnetic stripe card technology.
That is
so ubiquitous that we blissfully forget about the complexity
of
ferromagnetics, and the complex supply chain that delivers card
products
via blank plastics, magnetic tapes and bulk ferrite powders.
Chip cards
will supersede all this in coming years, and digital certificates
will
become at least as common as cards.]
A missing example on slide 3
may be the EMV smartcard, which has embedded
client side PKI, with over 400
million smart credit/debit cards already
issued.
Anders may be
right that gateway PKI is important too, but it is not in the
same league
(with respect to numbers) as embedded client side PKI. The
outright
need for gateway PKI will likely fall as embedded certificates
become
seamlessly easy to use.
Cheers,
Steve.
>
All,
>
> As promised in last week's session, here are 3 slides that
I've come up
> with as a first-cut of what I intend to present in the 3
minutes that I
> will have in the OASIS forum on May 9th.
>
>
Please review and provide comments. If you believe there should be
more
> bullets/sub-bullets, please forward suggesttions to me before April
29.
> Thank you.
>
> Arshad Noor
> StrongAuth,
Inc.
>
> P.S. I will use the OASIS format after the content is
finalized.
> [attachment][attachment]
--
<Put email footer
here>
---------------------------------------------------------------------
To
unsubscribe from this mail list, you must leave the OASIS TC that
generates
this mail. You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]