pki-tc message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Voting, Open Source vs OASIS, and PKI Guidelines. Was. Whither PKI-TC? (was Meeting tomorrow)
- From: "Anders Rundgren" <anders.rundgren@telia.com>
- To: "PKI TC" <pki-tc@lists.oasis-open.org>
- Date: Sun, 21 May 2006 16:44:18 +0200
At this stage I believe that deciding what to focus
on is the primary concern.
New
PKI-related Standards
In case this group is going to commit themselves to
standards developments, the outcome of such a
decision may be that it should not be carried out
in the realm of PKI-TC but rather in an entirely
new for that purpose dedicated OASIS TC. As a member of several standards groups, I note that standards development requires much more member interaction and under
longer periods than for example
surveys. I can't imagine any PKI standards
development that would not take at least 18 months to complete. In fact, the average task seems more like a 2-year
journey. That's a major commitment,
requiring that the actual task is of big
importance for the associated members and that they can actually afford it. I have a
feeling that there are few such tasks to be found which means that any work would be on a more or less idealistic
(=private) basis, unless you happen to get EU or government
funding.
Open Source versus
Standards
It appears that Open Source projects are better
geared for carrying out stuff that does not have
an immediate monetary return for the
members. Recently [yet] another EU-based group launched an
effort to create a "WebSign" facility for
e-government usage. That is, nobody intends
to make a nickel on the SW itself, but rather
anticipates that it will enable deployment of new applications.
By offering a competent and free scheme, this
group hopes to set a de-facto standard for
WebSigning. An OASIS process would add considerable delays and if such a TC does not also involve
Microsoft, the result would by definition be
"non-authoritative" since Microsoft have some
80-90% of the browser market. Underground work seems like a way ahead at this early stage. It is worth
noting that the SAFE (biopharma) signature effort is going in this
direction as well.
That is, PKI standards development is currently at
a cross-road, spurred by the zero-cost client-model imposed by "Internet-scale"
PKI deployments. This is primarily happening in the EU, where PKI is a
consumer/citizen "movement", rather than an enterprise activity.
The
PKI Guidelines
Regarding voting I would like the voting members to
take a decision regarding the development of PKI
application guidelines.
However, I think that such a voting must be
preceded by some kind of check, to see how many
people who would like to contribute to such a
task. Since such work has never been performed by any group before, I remain skeptical about the chance of bringing in the people needed to make the
deliverables authoritative. I believe that
without any ties to for example NIST, such an
effort will simply go nowhere.
As it looks right now, surveys like the ones
carried out by Stephen Wilson, is what we can
deal with.
Anders Rundgren
----- Original Message -----
Sent: Sunday, May 21, 2006 07:26
Subject: [pki-tc] re:[pki-tc] Whither PKI-TC? (was
Meeting tomorrow)
Arshad
Nice summary, thanks very much.
Regarding the
suggested change to the voting rules, I would just like to
put a contrary and
cautious view, particularly in light of how small our
group is. I think
we need somehow to enourage long term and consistent
engagement with the
committee. There may be risk if it is too easy for
people with
relatively little commitment to the group to vote on issues as
they see fit,
perhaps capriciously, thus exercising disproportionate power.
A great
deal gets accomplished by live engagement in the meetings. I
think a
consistent level of live engagement in meetings should be a
pre-requisite to
being able to vote.
Cheers,
Stephen.
Stephen
Wilson
Lockstep Consulting Pty Ltd
www.lockstep.com.au
ABN 59 593 754
482
11 Minnesota Ave
Five Dock NSW 2046
Australia
P +61
(0)414 488 851
--------------------
About Lockstep
Lockstep
was established in early 2004 by noted authentication expert
Stephen Wilson,
to provide independent specialist advice and analysis on
identity management,
PKI and smartcards. Lockstep is also developing
unique new smartcard
solutions to address privacy and identity theft.
> I've heard
some great feedback from the forum - over e-mail and
> in the meeting -
and I'm going to try to summarize what I heard.
> Please correct me if
I've misinterpreted/missed anything:
>
> * Our charter is very
broad and could encompass creating
> technical standards
for the use of PKI, if appropriate;
>
> * We ned to consider
changing the rule that "punishes" voting
> members if
they don't attend 2 consecutive meetings;
>
> * We need to create a
better perception of PKI, relative to
> other security
technologies;
>
> * We need to sharpen our message about PKI and
the benefits it
> brings to business;
>
> *
We need to continue addressing the concerns raised in the
PKI
> survey from 3 years ago - especially cost, user
interfaces and
> technical understanding;
>
> * Application guidelines are missing for integrating PKI,
thus
> leading to non-standard implementations; the
absence of
> "universal, open source, cross-platform
API(s)" creates the
> biggest hurdles for use of PKI
outside IA&A.
>
> I may have missed some other messages, so
please send them to
> this list so we can add them to this
summary.
>
> I see these statements falling into 3
categories:
>
> 1) Administrative - (rule change about missing
meetings), which
> we can change based on a vote,
I imagine;
>
> 2) Communications - better articulation of our
message towards
> creating a more favorable
perception of PKI; and
>
> 3) Application guidelines - the lack
thereof.
>
> I'd like to get some feedback to this initial
summarization. If
> the TC believes that this summary is on target,
I'd like us to
> think of project propsals to address these statements, as
a next
> step.
>
> Thank you.
>
> Arshad
Noor
> StrongAuth, Inc.
>
>
> Arshad Noor
wrote:
> > Friends,
> >
> > Since tomorrow is the
first meeting that I will be conducting
> > as the new chair, I wanted
to take the opportunity for us to
> > have a discussion around the TC's
future. Since I'm not sure
> > everyone is on the Member Section
alias (I'm not - and I'm not
> > sure why), I'm sending you a message
that I sent there last
> > week to help spur some discussion tomorrow
on this subject.
> >
> > Whether you're a regular participant
to the TC meetings or
> > not, I'd like to invite you to attend this
session tomorrow
> > to provide some input on the two topics outlined
below.
> >
> > If you cannot join us due to other
commitments, please send
> > us your feedback on this list, so we can
incorporate it into
> > our discussion.
> >
> > As
the internet gets more dangerous and awareness increases
> > amongst
software developers/architects, I strongly believe
> > that the use of
public-key cryptograpy is on the threshold
> > of a new dawn. I'm
hoping that you can join us in taking
> > advantage of this new
awareness, and in helping shape the
> > way the technology can help
your company or you, personally.
> >
> > The topics I'd like
to discuss tomorrow are:
> >
> > 1) As a technical committee,
what technology standards do we
> > establish given
that PKIX establishes international technical
> >
standards for PKI, and W3C has established XMLSignature,
>
> XMLEncryption and XKMS as standards? What value do
we
> > add to the field of PKI to justify our
existence?
> >
> > 2) The TC conducted a survey 2-3 years ago
that highlighted
> > why people were not using
PKI. Yet, many countries around
> > the world,
the US Federal Government, the cable/satellite
> >
industry, the DRM world all use PKI in one form or another.
>
> What is the real reason that the general business
>
> applications/IT developers shun PKI? (Being an
applications
> > developer myself, I have some
notions on this that I'd like
> > to discuss in the
TC, but I want to hear from everybody else
> >
first).
> >
> > We may not have enough time to cover this
discussion tomorrow,
> > but I hope to begin it over e-mail, and
continue on the phone
> > and e-mail. Ann Terwilliger has kindly
arranged for a toll-free
> > number (in the US) for this meeting.
It is:
> >
> > Date/Time: MAY, 17
2006 at 9:00 AM America/Los_Angeles
> >
Length: 60
> > Meeting
ID: 3661
> > Phone Number:
877-847-2001 (USA & Canada) or 650-432-0111
> >
> > I
hope to hear from you. Thank you.
> >
> > Arshad
Noor
> > StrongAuth,
Inc.
---------------------------------------------------------------------
To
unsubscribe from this mail list, you must leave the OASIS TC that
generates
this mail. You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]