Re: Signing e-Invoices using (F)PKI

Subject: Re: Signing e-Invoices using (F)PKI
From: Tim Polk <tim.polk@nist.gov>
Date: Tue, 25 Apr 2006 17:23:08 -0400
Content-Type: text/html; charset="us-ascii"
In-Reply-To: <018f01c66859$4434d910$82c5a8c0@arport2v>

Anders,

I am not aware of any guidance or regulation that requires electronic invoices be signed by an individual (much less that we should hire additional people to do the job.) In fact, some of the most successful government electronic signature applications have used the "system signer" approach, where a server uses a key pair associated with the device to sign transactions on behalf of the users. In addition to the sorts of applications you are describing, this is a particularly attractive technique for PKI-enabling legacy applications in general.

While the Federal gov't has made the determination that having key pairs associated with individuals is necessary, that does not mean we believe it is necessary for every application!

Tim

At 07:20 AM 4/25/2006 -0400, Anders Rundgren wrote:

Currently most Telcom operators and Electricity companies generate and print out paper-invoices in fully automated processes. Only the actual delivery of by snail-mail involves humans.

Now, lets assume that these parties would turn to e-invoices and PKI, how would you expect these invoices to be signed? There are two variants:

Like the US Government and the Germans suggest: Companies hire additional employees that equipped with smart cards, sign individual invoices. Actually the Germans are ahead of the US since they now have a technical apparatus that lets a single user sign with a dozen smart cards. This way they reduced the need for additional staff with some 90%.

The invoicing companies simply modify their backend systems to automatically "sign" (instead of "print") on behalf of the organization using a $500/Y Gateway PKI certificate[*], issued by a major TTP.

I don't think that the commercial enterprises have any major problem of selecting method. Since Gateway PKI also scales trust-wise at least 100 times better than enterprise-PKI, receivers will experience few problems with unknown trust anchors.

Anders Rundgren

*] A certificate which identifies an organization and nothing else.

Follow-Ups:
- Re: Signing e-Invoices using (F)PKI
  - From: "Anders Rundgren" <anders.rundgren@telia.com>

References:
- Signing e-Invoices using (F)PKI
  - From: "Anders Rundgren" <anders.rundgren@telia.com>

Prev by Date: Reminder - Submission Deadline for The Second Cryptographic Hash Workshop Approaching (5/12/2006)
Next by Date: Re: Signing e-Invoices using (F)PKI
Prev by thread: Signing e-Invoices using (F)PKI
Next by thread: Re: Signing e-Invoices using (F)PKI

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov