[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pki-tc] PKI Hurdles. Re: [pki-tc] Meeting tomorrow
I likely won't make tomorrow's call because I'm meeting with a client to discuss how they might comply with PIV. The interesting wrinkle is that they are not a government agency but see a great deal of value in the PIV approach. They have had internal and external CA's in operation since 1999 for high assurance identity verification and are now looking to "kick it up a notch." I think the US Government PIV initiative is propelling reconsideration of PKI by large enterprises and communities of interest/trust. CertiPath (the aviation industry bridge CA) and SAFE (pharma CA) are gaining traction in their respective communities. It may well be that the PKI "killer app" is not an application at all but rather a central component of IA&A processes. Path processing issues notwithstanding, federation is getting more attention everyday and PKI is viewed as essential plumbing - certainly not the glamour-child that the industry marketed and hoped it would become. The biggest hurdles for wider use in applications outside of IA&A remain the absence of a universal, open source, cross-platform API(s) that only need a glue-layer between the app and the API and another between the vendor product and the API. That way, application developers don't have to bet on the best or most widely deployed vendor product. The other barriers include cost (alleviated some by shared service providers), awful user-interfaces and users' technical understanding requirements. Paul -----Original Message----- From: Sabo, John T [mailto:John.T.Sabo@ca.com] Sent: Wednesday, May 17, 2006 5:43 AM To: Anders Rundgren; Arshad Noor; PKI TC Subject: RE: [pki-tc] PKI Hurdles. Re: [pki-tc] Meeting tomorrow Anders raises a good point for discussion, especially with respect to the U.S. Government personal identity verification initiative, which is essentially intended for authentication for physical and logical systems. The access control components and additional applications are not an emphasis of the NIST FIPS-201 guidance. Of course, the U.S. government is a huge collection of agencies with thousands of stove-pipe systems, and a mix of legacy and COTS applications. Some believe that the PIV infrastructure will provide a basis for moving into the application space (in a decade?), given this environment, since it establishes a cross-government and government-contractor authentication foundation. __________________________________ John T. Sabo, CISSP Director, Security and Privacy Initiatives CA Tel: +1 703-708-3037 Mobile: +1 443-629-6198 Fax: +1 703-709-4820 ------------------------------------ This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Tuesday, May 16, 2006 3:29 PM To: Arshad Noor; PKI TC Subject: [pki-tc] PKI Hurdles. Re: [pki-tc] Meeting tomorrow >Yet, many countries around the world, the US Federal Government, the >cable/satellite industry, the DRM world all use PKI in one form or another. >What is the real reason that the general business >applications/IT developers shun PKI? I think the industry handles PKI quite appropriately. The US government have indeed advanced plans to purchase 30 million+ PIV cards for billions of USDs, but have so far spent close to nothing on PKI application research, or showing how they anticipate that PKI is to be used in general business applications including e-government dittos. Without any tangible information, application building outside of login becomes a pure guesswork. Makers of business applications cannot really do this guessing on their own. I am afraid that we have to wait another decade for these PKI application guidelines to surface. In the mean-time PKI consultants over the world, enjoy a great time spending tax-payer money, solving the same problem over and over and each time with a new twist, turning this PKI application integration circus into a virtual Perpetum Mobile. regards Anders Rundgren --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. You may a link to this group and all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]