FPKI policy mapping. Was: e-Health: Putting the Gateway PKI at work
- Subject: FPKI policy mapping. Was: e-Health: Putting the Gateway PKI at work
- From: "Anders Rundgren" <anders.rundgren@telia.com>
- Date: Thu, 3 Feb 2005 09:40:49 +0100
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset="iso-8859-1"
- References: <64BC9A2B18FC5843BA0DE93548F745F330BCAAD2@nihexchange3.nih.gov>
Peter,
"And we are ahead of the game when it comes to
exploring interdomain PKI interoperability, its implications and its tools.
Nobody does more or better policy mapping than we do"
That is true. However, policy mapping and PKI domain interoperability is actually
a necessity implied by the FPKI architecture itself.
Using the Gateway PKI, client security solutions (and thus policies) do hardly ever
meet. That is, one hospital may use SecurID and another may use PKI but through
the Gateway PKI they will be able to securely communicate anyway. As long as the
different parties conform to the regulations valid for their particular activity,
there is no problem to solve. As such regulations (here thinking of the health
care sector) cover numerous other things beside strong authentication, I don't
think that certificate policy mapping really adds anything but delays, confusion,
and possible disagreements.
Using a Gateway PKI there are no directory schemes to normalize (and agree on) either.
This is exactly how the banking industry made it possible to transact globally
in a secure manner, by *separating* client security from the transaction networks.
As far as I can see, this scheme is the most time-proven "interop" scheme there is.
In my opinion the FPKI external advisers have lead the project towards a black hole
of costs and self-implied interoperability and scalability issues.
Sincerely
Anders Rundgren
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov