Re: Legal entities who sign

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

Thanx for your comments Jimi, Adrian, Lynn and Raffaello.

My [long-winding] response is probably a bit "orthogonal" as
the question from  _my_ point of view is really how to "map" the
de-facto standard since 20-30 years back, for sending common
e-business documents like purchase orders and invoices between
companies, into PKI.  The de-facto standard constitutes of leased
lines, shared secrets, VPNs, and EDI partner IDs.

BEFORE the advent of PKI, legal issues in _this_ context (with
respect to repudiation of sent documents), were not perceived as
a problem.  The same goes for authorization as the general feeling
is that business documents  that "look authentic", are also assumed
to be "authorized", regardless if the "signature" is an almost
unreadable figure on paper, or just a well-known e-mail address.

TRUST in the sense that you trust your business partners for
"executing" (paying, shipping, selling etc) is, and will _continue_
to be the major business issue.   PKI doesn't not change this.

The PROBLEM: To go from current "crude-but-working" solutions,
to not very well understood PKI-structures depending on a multitude
of CAs and layered external authorization-schemes requires a
_major_ rewrite of all business systems, including support for
entirely new and _extremely_awkward_ business (?)-processes like
add external CA-root, renew external CA-root, set-up certificate
mapping scheme, add external user, remove external user, etc.
My "gut-feeling" tells me this will never happen on a grand scale.

======================================================
- TTP-issued Legal-entity-only-certificates OTOH, simply extend current
  schemes while adding considerable technical strength and trust.

- Properly applied,  such certificates can also enable _globally_working_
  message-based "VPNs", costing FRACTIONS of current alternatives.

- Legal-entity-only signed messages allow adding arbitrarily sophisticated
  authorization data as message _payload_, when and if such data is needed
  and agreed upon, in effect offering a virtually unlimited path to the future.

- Legal-entity-only-certificates do not depend on X.500-directories, neither
  internally nor externally.  An organization may optionally "publish" such a
  certificate on their home-page.

- And then addressing much, much more, including Web Services, privacy,
  archiving, on-line authorization control, client-side PKI independence,
  interoperability, system protection, SAML, etc. etc...
======================================================

               So WHERE do we (the PKI community), go from here?

It's ALIVE!

Although I am moderately impressed with PKI-activities going on
in Sweden, I note with great satisfaction that the Swedish authorities
apparently plan to communicate through nodes equipped with the
authorities' "stamp-certificates".  Using https and XML BTW.

Due to the fact that globally operating CAs, including VeriSign, Identrus,
and GlobalSign, do not yet even seem to understand the "concept" of
legal-entity-only-certificates, the "stamp-certificates" will be
produced by the Swedish Post Office.

Best Regards
Anders Rundgren
Senior e-Commerce Architect