Re: "To BCA or not to BCA" , this is NOT the question

Subject: Re: "To BCA or not to BCA" , this is NOT the question
From: "Anders Rundgren" <anders.rundgren@telia.com>
Date: Sat, 29 Jan 2005 09:58:24 +0100
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
References: <002601c502e8$a8b85c90$80c5a8c0@rsaedoscymkikx> <6.1.2.0.2.20050127110058.049763e8@localhost>

"Robert Moskowitz" <rgm@icsalabs.com> wrote:

>As the one that proposed the BCA concept to NIST in Dec '97 (or was it '96, 
>that long ago?), 

Oops, I hope you don't find this discussion too offensive.

>I always saw the advantage of the BCA allowing any 
>business to be a member of as many BCAs as needed.

>I know at one point there was talk of a BCA for all Patent offices around 
>the world, for example, even though the USPTO would also be a member of the 
>US BCA.  So what?  That is the strength of the BCA concept.

In fact, I believe the BCA concept is actually the most powerful way to
achieve an interoperable, scalable employee-based PKI trust network!

=============================================================================
So what's the problem? It is that an employee-based PKI trust-network is more
or less useless unless there is a trust-network-wide directory supporting it.
=============================================================================

But how many organizations are interested in "publishing" their employees
including their function (authority) etc?  Not that many it seems.

As I have also in great length described, the implicit FPKI security model
(e2e) is largely incompatible with collaborative processes, and in particular if
these span over more than one organization.

The "Gateway" is marching on
============================
Although gateways are well-known by security people, something went terribly
wrong when this extremely time-proven concept met with PKI. I guess this must
have had something to do with the idea that PKI's main mission in life is
providing legally binding signatures for individuals.  But this is actually only
one out of a myriad of PKI applications. 

If somebody believes that the gateway approach is merely a "delirious dream"
of yours truly, please take a peak at this site:
http://europa.eu.int/idabc/en/document/3760
That it has not been mentioned too much in PKI circles is due to the fact that
it has not been created by PKI people but by information system architects.

=============================================================================
Therefore I simply suggest that the FPKI community should design a "combined
information and trust model" instead of waiting for IBM, MSFT etc. or the EU.
=============================================================================

I do believe that the US could take the lead again by *this time* putting the
"system guys" and the "PKI guys" in the same room in spite of the fact that
they don't even speak the same language!

Just defining a globally usable gateway PKI/certificate is certainly no
"piece of cake".

regards
Anders Rundgren
Senior PKI Architect
working for a major computer security company

Disclaimer:
This is my personal opinion, not to be associated with my employer

References:
- "To BCA or not to BCA" , this is NOT the question
  - From: "Anders Rundgren" <anders.rundgren@telia.com>

Prev by Date: Credentials Check (Was: FPKI challenges. Was: National Health Technology Standards Corporation)
Next by Date: e-Health: Putting the Gateway PKI at work
Prev by thread: Re: "To BCA or not to BCA" , this is NOT the question
Next by thread: Re: "To BCA or not to BCA" , this is NOT the question

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov