Wednesday, January 9, 2008
Microsoft's CardSpace - PKI Nemesis?
Some people claim that CardSpace will put the final nail in the PKI coffin. I just don't see how, CardSpace suffers from exactly the same problem as PKI which is basically the unavailability of a low-cost, ubiquitous, and always usable "container".
Monday, July 16, 2007
The PKI "Hostage" Mode
Some 3-4 years ago I followed an ambitious EU effort (in CEN) to standardize e-invoices. Did they actually succeed? In principle they did, but in the area of securing invoices, I would say a blunt no. The primary reason for this is because Germany and a number of "allies" have a fairly intricate relation to the word "signature", making security based on PKI quite awkward.
In Germany a paper-invoice does not have to be signed but if an invoice is to be sent electronically it must either be secured with "EDI-methods" (whatever that means), OR be secured with a qualified digital signature. The latter may sound just fine, but there is a catch; a qualified digital signature can only be issued by an individual.
Now, if you apply this notion to a typical B2B-scenario, where messages are actually created and sent from server-to-server (business-system-to-business-system), this makes it hard to keep the individual in the loop.
To "rescue", a number of innovative German security companies came up with the bright idea mounting an individual's certificate in the server. Since the actual person has no way of knowing what the server does (including sending automatically generated invoices like electricity-bills), this person effectively becomes a "hostage". The hostage is typical a CEO, CFO or similar to give "authority" to outgoing messages.
However, drawbacks with the PKI "hostage" scheme are plenty, including privacy concerns, difficult trust management (potentially one trust anchor for each business partner), and lack of robustness (must replace certificate when the hostage for some reason leaves the company).
How did this happen one may wonder? I believe the closest answer is that the first generation of PKI-experts and legislators who created the EU signature-directive back in 1993, did not envision the impact of servers on business processes. Applied to "Google-age" where there are servers virtually everywhere, this becomes a real issue.
In a future posting I will describe what Scandinavian governments have (more or less) settled on with respect to PKI usage in the context of B2B, B2G, and G2G.
In Germany a paper-invoice does not have to be signed but if an invoice is to be sent electronically it must either be secured with "EDI-methods" (whatever that means), OR be secured with a qualified digital signature. The latter may sound just fine, but there is a catch; a qualified digital signature can only be issued by an individual.
Now, if you apply this notion to a typical B2B-scenario, where messages are actually created and sent from server-to-server (business-system-to-business-system), this makes it hard to keep the individual in the loop.
To "rescue", a number of innovative German security companies came up with the bright idea mounting an individual's certificate in the server. Since the actual person has no way of knowing what the server does (including sending automatically generated invoices like electricity-bills), this person effectively becomes a "hostage". The hostage is typical a CEO, CFO or similar to give "authority" to outgoing messages.
However, drawbacks with the PKI "hostage" scheme are plenty, including privacy concerns, difficult trust management (potentially one trust anchor for each business partner), and lack of robustness (must replace certificate when the hostage for some reason leaves the company).
How did this happen one may wonder? I believe the closest answer is that the first generation of PKI-experts and legislators who created the EU signature-directive back in 1993, did not envision the impact of servers on business processes. Applied to "Google-age" where there are servers virtually everywhere, this becomes a real issue.
In a future posting I will describe what Scandinavian governments have (more or less) settled on with respect to PKI usage in the context of B2B, B2G, and G2G.
Saturday, July 7, 2007
PKI - A Solution or a Problem?
Dear reader,
I don't know if I have the time to blog very frequently and even more important if there will be any people reading what I write, but these issues are probably not that unique in the world of blogging :-)
Anyway, in case you are still reading, this blog will mostly be about things related to PKI (Public Key Infrastructure), a technology that some people treat as a "religion" and some other reject as a "solution looking for a problem".
Personally, I believe PKI properly applied is just a technology among others. The challenge is actually in the word "applied" because this is where we have a problem.
Stay tuned!
I don't know if I have the time to blog very frequently and even more important if there will be any people reading what I write, but these issues are probably not that unique in the world of blogging :-)
Anyway, in case you are still reading, this blog will mostly be about things related to PKI (Public Key Infrastructure), a technology that some people treat as a "religion" and some other reject as a "solution looking for a problem".
Personally, I believe PKI properly applied is just a technology among others. The challenge is actually in the word "applied" because this is where we have a problem.
Stay tuned!
Subscribe to:
Posts (Atom)