Credentials Check (Was: FPKI challenges. Was: National Health Technology Standards Corporation)
- Subject: Credentials Check (Was: FPKI challenges. Was: National Health Technology Standards Corporation)
- From: William F Flanigan <wflanigan@csc.com>
- Date: Fri, 28 Jan 2005 10:33:22 -0500
- Content-type: text/plain; charset=US-ASCII
Anders,
You keep saying that your are a "Senior PKI Architect working for a
major computer security company." What is the name of the company?
Bill Flanigan
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
----------------------------------------------------------------------------------------
"Anders
Rundgren" To: Multiple recipients of list <pki-twg@nist.gov>
<anders.rundgren cc:
@telia.com> Subject: FPKI challenges. Was: National Health Technology Standards Corporation
Sent by: pki-twg
01/27/2005 05:20
PM
Please respond
to
anders.rundgren
>There's a lot of prior activity behind this, none of which threatens FPKI.
>In fact, FPKI is complementary.
Dear Peter,
I believe "Threatens FPKI" is a bit strong. "Possibly challenges the
current vision of how FPKI should serve the federal community", is how I
rather see it. Just the mere existence of this initiative indicates that
there
is a lot of undone work in this area. Before this work has been done
(and is published NB), the outcome is really wide open to speculation.
My "guess" FWIW, is that this initiative will come to the same conclusions
as
most others who have been faced with the daunting task defining "a scalable
and
secure architecture for information exchange and collaboration" (my
wording).
http://cio.nist.gov/esd/emaildir/lists/pki-twg/msg00487.html
In such an architecture you have the tools needed for dealing with things
like:
http://w1.181.telia.com/~u18116613/A.R.AppliedPKI-Lesson-1.pdf
http://w1.181.telia.com/~u18116613/A.R.AppliedPKI-Lesson-2.pdf
(the e-purchasing scenario can in fact be mapped to most health related
tasks as well, including "e-prescriptions")
In such an architecture client certificates will still have an important
role
to play but they do not longer necessarily:
- Secure "the outer envelope" for org-to-org messages
- Have to be trusted outside of your own organization
Such an architecture would also be natural to augment with an on-line
signature standard which in itself is a major task. Even so-called
"trivial" issues stirs up major debates and controversies:
http://web.telia.com/~u18116613/WASP-appnote-1-SignatureVerificationAndMultipleSignatures.pdf
FPKI will surely survive but may in the future perform other services,
here thinking of issuance of "agency-only certificates" that probably will
secure "the outer envelope". Some members of the mentioned industry
consortium though push the idea of using "application certificates", for
reasons that seem unclear at best. This is indeed truly virgin territory!
It is even possible that the Federal Bridge CA long term will be replaced
by
a single-root Federal PKI, as an agency-signature-scheme reduces the need
for having "affiliation" in a federal identity certificate. It should be
enough to have a neutral federal identity issued according to a certain
policy.
This is a more cost-effective solution that though requires that we live
in an on-line world. Although affiliation is commonly put in certificates,
it was IMHO never a particularly good idea, as it says nothing about
"authority". Authority and similar attribute data is more or less "for
free"
using on-line approaches like SAML as well as using local directories.
Although few are aware of this, the on-line paradigm will most likely also
impact schemes like FIPS201/PIV .
I would characterize such changes as "evolutionary", or "revolutionary"
depending on which time-frame they would occur in.
Anders Rundgren
Senior PKI Architect
working for a major computer security company
Disclaimer:
This is my personal opinion, not to be associated with my employer
PS. That this letter only referenced things that I have authored is not
due to an extravagant ego, but due to the unavailability of other documents
describing PKI in conjunction with common applications. DS.
-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Wednesday, January 26, 2005 3:46 PM
To: Multiple recipients of list
Subject: National Health Technology Standards Corporation
http://news.com.com/High-tech+alliance+for+digital+health+network/2100-1028_3-5550628.html?tag=nefd.top
If this is for real, It could have a rather profound effect on FPKI, as it
seems that they are trying to create an architecture and information
network which of course must be built on a secure foundation.
If this consortium succeeds in creating a working architecture for
healthcare,
they have "fixed the rest as well" as it seems that healthcare comprises
practically all security, privacy and legal issues one could imagine
Anders Rundgren
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov