MIT's use of PKI in external processes

Subject: MIT's use of PKI in external processes
From: "Anders Rundgren" <anders.rundgren@telia.com>
Date: Mon, 7 Feb 2005 22:00:55 +0100
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"


Related to the somewhat heated discussions regarding the viability of the FPKI
architecture, I would like to describe how another early adopter of PKI and
prestigious US institution, use PKI in an e-purchasing application called ECAT
(that is connected to MIT's SAP business system).

1. Login to external seller site:
1a. Uses the MIT ID (certificate) giving full ID to seller site.
1b. Seller in turn is not interested in who is knocking on their door (as
they don't know all MIT people and never will), and therefore simply skips
the client certificate altogether except verifying that it belongs to the MIT root.
Formula: MIT root = authorized MIT user.
1c. ECAT user attributes POSTed during login can be faked by the user with
"Notepad" as login data is unsigned.

2. User signing of purchase orders (in ECAT):
Of course not, browsers can't sign, didn't you know that?
(And if they could, SAP would puke on it as no business system
worth mentioning supports "passthrough" of client signatures)

3. SAP signing of outgoing orders:
None.  However they do SSL client-auth using their web-server cert.

If anybody thought that we are ready with PKI, I hope you realize that we
have hardly begun yet..

Anders Rundgren

Prev by Date: FPKI policy mapping. Was: e-Health: Putting the Gateway PKI at work
Next by Date: Workshop on Biometrics and E-Authentication Over Open Networks
Prev by thread: Workshop on Biometrics and E-Authentication Over Open Networks
Next by thread: FPKI policy mapping. Was: e-Health: Putting the Gateway PKI at work

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov