Re: Signing e-Invoices using (F)PKI

["Anders Rundgren" <anders.rundgren@telia.com>]

Hi Tim,

Let me comment on this a bit...

 

"In fact, some of the most successful government electronic signature applications have used the "system signer" approach, where a server uses a key pair associated with the device to sign transactions on behalf of the users"

 

This statement of yours surprises me in several ways.  It has never been mentioned or acknowledged in this list (or in the PKIX list for that matter), in spite of me raising this issue numerous times.

 

"In addition to the sorts of applications you are describing, this is a particularly attractive technique for PKI-enabling legacy applications in general".

 

---

The fact is, that this approach is the only field-proven, implementable, and documented way to support integrated organization-to-organization work-flow applications.

---

 

Although politically incorrect, I would also like to add that this approach eliminates the need for Bridge CAs for all purposes but secure e-mail.  Due to that I expect the FBCA to be rather lone in five years or so, the rest of the world will likely turn to GW-PKI which is 2-3 magnitudes cheaper, while still offering many times more functionality!

 

Note that there are no conflicts between PIV and GW-PKI, they very nicely complement each other. The latter also allows you to securely communicate with organizations that have not yet committed to client-side PKI.  Although DKIM is currently not at GW-PKI level standards, it is still very much pointing in the same direction.

 

Anders

 

 

----- Original Message -----

From: Tim Polk

To: anders.rundgren@telia.com ; Multiple recipients of list

Sent: Tuesday, April 25, 2006 23:23

Subject: Re: Signing e-Invoices using (F)PKI

Anders,

I am not aware of any guidance or regulation that requires electronic invoices be signed by an individual (much less that we should hire additional people to do the job.)  In fact, some of the most successful government electronic signature applications have used the "system signer" approach, where a server uses a key pair associated with the device to sign transactions on behalf of the users.  In addition to the sorts of applications you are describing, this is a particularly attractive technique for PKI-enabling legacy applications in general.

While the Federal gov't has made the determination that having key pairs associated with individuals is necessary, that  does not mean we believe it is necessary for every application!

Tim

At 07:20 AM 4/25/2006 -0400, Anders Rundgren wrote:

Currently most Telcom operators and Electricity companies generate and print out paper-invoices in fully automated processes.  Only the actual delivery of by snail-mail involves humans.
 
Now, lets assume that these parties would turn to e-invoices and PKI, how would you expect these invoices to be signed?  There are two variants:

• Like the US Government and the Germans suggest: Companies hire additional employees that equipped with smart cards, sign individual invoices.  Actually the Germans are ahead of the US since they now have a technical apparatus that lets a single user sign with a dozen smart cards.  This way they reduced the need for additional staff with some 90%.

• The invoicing companies simply modify their backend systems to automatically "sign" (instead of "print") on behalf of the organization using a $500/Y Gateway PKI certificate[*], issued by a major TTP.

 
I don't think that the commercial enterprises have any major problem of selecting method.  Since Gateway PKI also scales trust-wise at least 100 times better than enterprise-PKI, receivers will experience few problems with unknown trust anchors.
 
 
Anders Rundgren
 
*] A certificate which identifies an organization and nothing else.