Carl,
I appreciate the reply. I suspect that a great many potential
users are in approximately the same shape, as far as trying
to bring up PEM and use it as it was originally intended, i.e.,
with a complete key management infrastructure.
I would expect that many (potential) corporate users would
fall into three or four categories that are similar to those you
mentioned:
1. Casual use for personal e-mail privacy between coworkers
and perhaps collegues outside the company. I suspect that
most companies will have relatively little interest in supporting
such uses, and in fact might even activel;y discourage
such use for fear of (1) carrying on unofficial business without
permission, perhaps even extending to fraud, etc., (2) disclosing
company proprietary data to outsiders without any means of
auditing what is going on, and (3) the possibility that the company
might become liable (or more liable) for something that was said
by an employee, just becasue it was digitally signed.
2. E-mail privacy for distributed/cooperative engineering efforts.
I will include progress reports and other management information
in this category. Given that security has always been a pretty hard
sell, this may be difficult to get across, even if there were no
cost or legal issues, just because of the interference with
"normal" processes.
3. E-mail privacy and authentication between engineering groups
and patent attorneys, etc. Of the lawyers I have talked to,
the Intellectual Property folks are by far the most conservative.
Their position is, "why risk compromising our position on a
potentially valuable patent through the adoption of a process
that is not yet proven?" In part, I tend to agree with them, at least
until we have established much better controls, audit procedures,
trusted time-stamps, etc.
4. I would add a fourth category that might be of some interest,
and that would be the use of digital signatures for internal purchase
orders, travel authorization and expense reports, for strictly
INTERNAL purposes.
I don't mean to dispair, but I am beginning to believe that setting
up the necessary infrastructure within an organization may be a
very difficult problem for most companies, given the fact that
digital signatures may and probably will have legal consequences
that are difficult to predict at present.
Clearly it will be necessary to build a business case that counter-
balances the various perceived risks, and also pays for the
administrative overhead of setting up a CA (or the equivalent
of an Organizational Notary, if a service such as RSA's is used to
co-issue certificates on behalf of a company.
Assuming that it is possible to generate at least a modicum of
interest within a company, and that at least one individual
such as yourself is willing to act as the technical champion,
what would you suggest that we do within the PEM community
in order to be more successful in installing and using PEM
and/or other digital signature implementations, such as AOCE?
In particular, would there be any merit in creating a PCA that is
the equivalent of a Persona PCA, for CORPORATE users?
My thought is that
1. Such a PCA would be set up to explicitly disavow any use
external or inter-company transactions, just to reduce the
risk factor and general nervousness. Havng said so wouldn't
change the fact of a signature, but it might reduce the risk
to be commensurate with an ordinary written signature.
2. Software that will allow the key of a specific individual, CA,
or PCA to be specified would permit the internal, intracompany
use of digital signatures by accepting the signature of the CA
whether or not the PCA signature can be validated.
Several other possibilities along the same lines would include the
deliberate use of an expired CA certificate, or the creation of an
internal-use-only PCA for a company that would not be connected
to the rest of the worldpublishing their public key, whether by
the IPRA or otherwise.
The proliferation of hundreds of islands of disconnected PCAs
would be regretable, but may be necessary if a common PCA
policy cannot be evolved that gets around the reluctance of
companies to commit the resources to setting up the "right"
public-key infrastructure.
Does anyone else have any thoughts has to how to jump-start
the process of getting PEM adopted for actual use? A worked
example of someone who has actually brought up such a system
would be very helpful. Any volunteers?
-------------------
With regard to your message concerning the use of "specialized"
certificates, or simply signed statements of fact or belief, I
agree that there are an infinite multitude of such statments that
are possible. Some may fall neatly into certain subject-matter
canonical forms, e.g., the work that ANSI X9F1 is doing to
develop a schema for digitally signed financial transactions.
I suppose that almost anything can be represented in ASN.1,
so I could imagine the International Society for Bald,
Pointy-Headed E-Mail Users might eventually standardize
your first certificate. But until that time, I expect such relationships
to be expressed in English or some other natural language, even
legaleze :-). That should not be a problem until we want to start
automating the relationship between such declarations and
various processes. But then authenticated scripts in Prolog, Rexx,
or procedural or nonprocedural languages would be very useful,
so that we can dispatch various knowledge robots to do our
bidding, with a signed Power of Attorney in hand to authorize their
actions.
Bob