Re: Swedish e-sign solutions - Skipping WYSIWYS

["Anders Rundgren" <anders.rundgren@telia.com>]

Andrew, it is good with feedback!

There is a problem with all C2G stuff and that is how to share costs
between authorities for things that is to be used by citizens even
if we are only talking about a few dollars per user.  Sweden have
more than 10% of the adult population using e-signatures on
a frequent basis so I guess our authorities are rather sensitive
about prices.

Regarding standards I maintain: There are no standards in this
area including _all_ aspects of an on on-line e-sign scenario:
1. Invocation of the signature client software by an on-line service
2. Signature request format/method
3. User view format
4. Signed data format (a profile of some kind)
5. Multiple signature handling
6. Local signature validation

I'm sure PureEdge have reasonable solutions to these questions
but to call them standard is not entirely correct.

Personally I believe the consumer market could live with a rather
unsophisticated scheme.  However, that does not include leaving
out WYSIWYS.  

A complication with most European PKI efforts is that they have
ruled out using Windows CSP as they feel it is inferior and unfortunately
they are to some extent right.  Microsoft has never paid much attention
to the European PKI market as this market is 90% consumer-oriented
unlike in their home-market the US, where PKI is an "internal affair".
These markets are currently very different.  Personally I believe that the
consumer-market is more interesting as it is much harder (challenging)
to combine security, mobility, low cost, and low competence (!).  The US
federal PIV users will find that they will be stuck on the mobility issue
as the European consumers will follow an entirely different path.  That is,
PIV users will only be able to use their card within the federal walls,
hardly ever outside of them.  OTOH the main motive behind PIV seems
to be fighting terrorism, not to enable new services.

Coming back to the original issue that means that European e-sign efforts
will until this flaw is corrected be forced to use local solutions.

regards
Anders Rundgren


----- Original Message ----- 
From: <andrew.ferguson@eb2bcom.com>
To: <anders.rundgren@telia.com>; <pki-twg@nist.gov>
Sent: Saturday, February 12, 2005 15:19
Subject: Re: Swedish e-sign solutions - Skipping WYSIWYS


HI Anders and list, I must beg to differ on three points. One is the statement 
that there is no client software that does this properly and secondly that 
if there is it is far too costly to roll out on a citizen only market aswell 
as being propietary. I believe you are wrong on three counts. One such software 
doesexist - Pure Edge 8x Commerce from a very smart Canadian company called 
PureEdge, Secondly the PureEdge software iscompletely XML standards based, 
thirdly they have a pricing mechanism which allows it to berolled out extremely 
effectively for Government to Citizen applications - For instance look at 
the US eGrants system and the SEC solution, PureEdge also fully supports 
PKI

My company sells PureEdge into The Australian and SE ASia marketst.
Andrew Ferguson
Director eB2Bcom (asia Pacific) Pte Ltd

----Original Message----
From: anders.rundgren@telia.com
Date: 13/02/2005 00:27:44
To: Multiple recipients of list <pki-twg@nist.gov>
Subj: Swedish e-sign solutions - Skipping WYSIWYS


Dear list;

You may be interested in knowing how the Swedish tax authorities'
look on e-signing.

Since their information system backend wants signed XML, they
in their on-line apps show the user in an ordinary browser window,
an HTML view of the transaction in progress, and then let the signature
app. sign the XML which they don't show to the user as it is unintelligble.

They claim that What You See Is What You Sign (WYSIWYS) does
not work[*] and is unnecessary as they believe users trust the authorities.
What they did not consider is that download is not always that perfect
and that a user may forget what he or she did.  Without a proof it is a
little bit hard to claim that somebody did this or did that in case of 
doubt.

Anders Rundgren

*) There is no client software that does this properly.  And if there is, 
it
costs far too much to roll out on a citizen-market as well as being
proprietary.