OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Voting, Open Source vs OASIS, and PKI Guidelines. Was. Whither PKI-TC? (was Meeting tomorrow)

At this stage I believe that deciding what to focus on is the primary concern.
New PKI-related Standards
In case this group is going to commit themselves to standards developments, the outcome of such a decision may be that it should not be carried out in the realm of PKI-TC but rather in an entirely new for that purpose dedicated OASIS TC.  As a member of several standards groups, I note that standards development requires much more member interaction and under longer periods than for example surveys.  I can't imagine any PKI standards development that would not take at least 18 months to complete.  In fact, the average task seems more like a 2-year journey.  That's a major commitment, requiring that the actual task is of big importance for the associated members and that they can actually afford it. I have a feeling that there are few such tasks to be found which means that any work would be on a more or less idealistic (=private) basis, unless you happen to get EU or government funding.
Open Source versus Standards
It appears that Open Source projects are better geared for carrying out stuff that does not have an immediate monetary return for the members.  Recently [yet] another EU-based group launched an effort to create a "WebSign" facility for e-government usage.  That is, nobody intends to make a nickel on the SW itself, but rather anticipates that it will enable deployment of new applications.  By offering a competent and free scheme, this group hopes to set a de-facto standard for WebSigning.  An OASIS process would add considerable delays and if such a TC does not also involve Microsoft, the result would by definition be "non-authoritative" since Microsoft have some 80-90% of the browser market.  Underground work seems like a way ahead at this early stage.  It is worth noting that the SAFE (biopharma) signature effort is going in this direction as well.
That is, PKI standards development is currently at a cross-road, spurred by the zero-cost client-model imposed by "Internet-scale" PKI deployments.  This is primarily happening in the EU, where PKI is a consumer/citizen "movement", rather than an enterprise activity.
The PKI Guidelines
Regarding voting I would like the voting members to take a decision regarding the development of PKI application guidelines.
However, I think that such a voting must be preceded by some kind of check, to see how many people who would like to contribute to such a task.  Since such work has never been performed by any group before, I remain skeptical about the chance of bringing in the people needed to make the deliverables authoritative.  I believe that without any ties to for example NIST, such an effort will simply go nowhere.
As it looks right now, surveys like the ones carried out by Stephen Wilson, is what we can deal with.
Anders Rundgren
----- Original Message -----
From: "Stephen Wilson" <swilson@lockstep.com.au>
To: "Arshad Noor" <arshad.noor@strongauth.com>
Cc: "PKI TC" <pki-tc@lists.oasis-open.org>
Sent: Sunday, May 21, 2006 07:26
Subject: [pki-tc] re:[pki-tc] Whither PKI-TC? (was Meeting tomorrow)


Nice summary, thanks very much.

Regarding the suggested change to the voting rules, I would just like to
put a contrary and cautious view, particularly in light of how small our
group is.  I think we need somehow to enourage long term and consistent
engagement with the committee.  There may be risk if it is too easy for
people with relatively little commitment to the group to vote on issues as
they see fit, perhaps capriciously, thus exercising disproportionate power.
 A great deal gets accomplished by live engagement in the meetings.  I
think a consistent level of live engagement in meetings should be a
pre-requisite to being able to vote. 



Stephen Wilson
Lockstep Consulting Pty Ltd
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046

P +61 (0)414 488 851


About Lockstep
Lockstep was established in early 2004 by noted authentication expert
Stephen Wilson, to provide independent specialist advice and analysis on
identity management, PKI and smartcards.  Lockstep is also developing
unique new smartcard solutions to address privacy and identity theft.

> I've heard some great feedback from the forum - over e-mail and
> in the meeting - and I'm going to try to summarize what I heard.
> Please correct me if I've misinterpreted/missed anything:
> * Our charter is very broad and could encompass creating
>    technical standards for the use of PKI, if appropriate;
> * We ned to consider changing the rule that "punishes" voting
>    members if they don't attend 2 consecutive meetings;
> * We need to create a better perception of PKI, relative to
>    other security technologies;
> * We need to sharpen our message about PKI and the benefits it
>    brings to business;
> * We need to continue addressing the concerns raised in the PKI
>    survey from 3 years ago - especially cost, user interfaces and
>    technical understanding;
> * Application guidelines are missing for integrating PKI, thus
>    leading to non-standard implementations; the absence of
>    "universal, open source, cross-platform API(s)" creates the
>    biggest hurdles for use of PKI outside IA&A.
> I may have missed some other messages, so please send them to
> this list so we can add them to this summary.
> I see these statements falling into 3 categories:
> 1) Administrative - (rule change about missing meetings), which
>     we can change based on a vote, I imagine;
> 2) Communications - better articulation of our message towards
>     creating a more favorable perception of PKI; and
> 3) Application guidelines - the lack thereof.
> I'd like to get some feedback to this initial summarization.  If
> the TC believes that this summary is on target, I'd like us to
> think of project propsals to address these statements, as a next
> step.
> Thank you.
> Arshad Noor
> StrongAuth, Inc.
> Arshad Noor wrote:
> > Friends,
> >
> > Since tomorrow is the first meeting that I will be conducting
> > as the new chair, I wanted to take the opportunity for us to
> > have a discussion around the TC's future.  Since I'm not sure
> > everyone is on the Member Section alias (I'm not - and I'm not
> > sure why), I'm sending you a message that I sent there last
> > week to help spur some discussion tomorrow on this subject.
> >
> > Whether you're a regular participant to the TC meetings or
> > not, I'd like to invite you to attend this session tomorrow
> > to provide some input on the two topics outlined below.
> >
> > If you cannot join us due to other commitments, please send
> > us your feedback on this list, so we can incorporate it into
> > our discussion.
> >
> > As the internet gets more dangerous and awareness increases
> > amongst software developers/architects, I strongly believe
> > that the use of public-key cryptograpy is on the threshold
> > of a new dawn.  I'm hoping that you can join us in taking
> > advantage of this new awareness, and in helping shape the
> > way the technology can help your company or you, personally.
> >
> > The topics I'd like to discuss tomorrow are:
> >
> > 1) As a technical committee, what technology standards do we
> >    establish given that PKIX establishes international technical
> >    standards for PKI, and W3C has established XMLSignature,
> >    XMLEncryption and XKMS as standards?  What value do we
> >    add to the field of PKI to justify our existence?
> >
> > 2) The TC conducted a survey 2-3 years ago that highlighted
> >    why people were not using PKI.  Yet, many countries around
> >    the world, the US Federal Government, the cable/satellite
> >    industry, the DRM world all use PKI in one form or another.
> >    What is the real reason that the general business
> >    applications/IT developers shun PKI?  (Being an applications
> >    developer myself, I have some notions on this that I'd like
> >    to discuss in the TC, but I want to hear from everybody else
> >    first).
> >
> > We may not have enough time to cover this discussion tomorrow,
> > but I hope to begin it over e-mail, and continue on the phone
> > and e-mail.  Ann Terwilliger has kindly arranged for a toll-free
> > number (in the US) for this meeting.  It is:
> >
> > Date/Time:     MAY, 17 2006 at 9:00 AM America/Los_Angeles
> > Length:        60
> > Meeting ID:    3661
> > Phone Number:    877-847-2001 (USA & Canada) or 650-432-0111
> >
> > I hope to hear from you.  Thank you.
> >
> > Arshad Noor
> > StrongAuth, Inc.

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]