The Bank-model Was: Employee Certificates - Security Issues

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

David,

Nema Problema, here it is:

Using the time-proven Internet-bank model, clients (= employees)
get keys (some kind of...) to their accounts, but never ever the
"bank-keys", as the latter are exclusively used for _authorized_
inter-bank  (= inter-organization) communication.  I.e.
the latter "execute" on a secure server only.

The "bank model", which was from the earliest days (1700?)
heavily founded on accountability and security, has a long-
term _sustainability_ due to its "trust-center" foundation.

The bank-model allows arbitrary complex authorization
messages as they are created on a server that can in a
single message pack signed authority documents from
various external authorities.  This removes the need
for updating authorization data out-of-band as the
"payload" contains everything you need.  Or could at least.

As purchase orders do not require personal signatures
to be honored, a procurement system simply "stamps"
outgoing purchase orders using the organization key.
It also means that it is impossible to create a valid
purchase order except going through the procurement
system giving non-intrusive (invisible, as long as
you stick to the rules) archiving, user control, 
privacy protection and a simple stable digital identity 
to trading partners.  The latter is extremely important
particularly given the pretty crude products currently
offered by commercial CAs.

A legally binding court verdict is likely to require a bit
more.  A dual-signed message seems like a possibility.
Judge + Court where the court's authoritative
signature is at the outermost layer to be valid.  Well, there
could be an additional TSA signature as well.

I just talked to a very experienced person from the
Swedish health-sector who claimed that this model is
_exactly_ what they are thinking of.  Regarding privacy
he had noticed that even badges nowadays have been
privacy-enhanced by having no SSNs and just
"John D, M.D." as clients could harass staff.

A document is in preparation based on the feedback
gathered in many discussions including those on
this list.  Stay tuned!

cheers,
Anders

----- Original Message ----- 
From: "David Maurus" <lists@xxxxxxxxxx>
To: <ietf-pkix@xxxxxxx>
Sent: Tuesday, October 08, 2002 19:50
Subject: Re: Employee Certificates - Security Issues



[forgot to copy the list, so here again:]
Anders,

Anders Rundgren wrote:

> Actually I would be extremely happy if someone else wrote
> how a simple thing like a purchase order should be handled
> in a classical enterprise-PKI, including possible business
> systems.  Without such a description this entire thread
> becomes both unintelligible and pretty boring.
>
As most people on this list probably have a vision of how a purchase 
order in the context of a classical enterprise-PKI would work, I think 
it would also help to increase the value of this thread if you would 
describe what you mean exactly by the term "Internet-bank model", 
especially in the context of PKI and signatures.

How would a purchase order work in your non-classical 
"Internet-bank-model"-PKI?

- David