Report on the
The PKI Challenge
At The Open Group Conference in Berlin
Tuesday 24 April 2001, 18.00-19.30
Russ Chung (American Eagle) on the EMA Federal Bridge Certificate Authority Project
Dean Richardson (Boeing) on the EMA extension project on Certificate Interoperability
Frederik Loeckx (Utimaco) on the EEMA's pkiC Project
Alain Filee (Bull) on the EU TESI Project
Ian Lloyd (The Open Group) on the EU TIE Project
Robert Carolina (Tarlo Lyons) on Legal Issues for Cross-Border PKI Certificate Interoperability
eBusiness is growing rapidly, and forecasts are that it will cover 30-50% of all business transactions in less than 3 years. With this rapid growth comes increasing exposure to risk - of financial losses, of invasion of privacy, of loss of confidentiality, etc.
Businesses are waiting with huge budgets to buy solutions that give acceptable levels of guarantee for secure end-to-end transactions over the Internet.
PKI is seen by many experts as a solution. Certificate Authorities (CA) and Trusted Third Parties (TTP) are the key players in this development.
The PKI Challenge is for security solution suppliers to deliver solutions that assure interoperability between certificates and PKI-enabled applications.
This birds-of-a-feather session was arranged to enable members to hear the latest news from experts involved in the practical issues related to PKI and certificate interoperability. The agenda comprised 6 speakers:
Russ Chung was one of the members of the EMA Federal Bridge Certificate Authority PKI Challenge project team. He gave a presentation (see slides) on their demonstration in Boston USA last year, of signed email by 7 domains for CAs. The tool they used was the Federal Bridge certificate authority. The project was funded by the US government. Russ' slides present his summary of their activities and conclusions. In his "results" slide, the green squares represent successful exchanges. The main conclusions and lessons learned were that the Federal Bridge Certificate Authority system works, that for PKI interoperability to be successful in a distributed environment across enterprises, directory interoperability is critical to achieving that success.
Dean Richardson explained he is part of a team that is contributing to an ongoing EMA PKI challenge extension project. They aim to give a demonstration and production pilot that shows CA interoperability in Austin, in July 2001. We will be able to follow this at the next Open Group meeting in Austin, 16-20 July 2001.
Frederik Loeckx gave a short presentation (see slides) on EEMA's PKI Challenge (pkiC) project. He explained that EEMA is the European arm of the EMA. He noted that there are EMA organizations around the world covering continental regions, and all are affiliated to a World EMA (WEMA). Frederik's EEMA slide presentation gave a brief history of the main PKI interoperability events that have been ongoing since 1990. The current PKI challenge objectives have a core objective and a main differentiator. He explained the scope of their interoperability study in the context of the PKI Challenge. Their current project kicked off at end Jan 2001. There are now 3 work packages underway, one of which is on marketing of their findings. They have found enormous interest from companies interested in participating in this marketing work package, reflecting the very strong interest in the industry to see the results of this project - presumably so that they can be at the forefront in bringing practical product solutions for PKI certificate interoperability to the marketplace. Phase 1 of their project has good support from partnering companies, and Phase 2 seems to be attracting even more support. Further information is available from their Web site at http://www.ema.org/pki-challenge.
Alain Filee gave a presentation (see slides) on the work underway in the European Union sponsored TESI (Trusted European Security Infrastructure) project. It includes 14 partner companies. It uses CDSA as core middleware, which is available as open source. The objective of TESI is to build a trusted secure application. Their Work Package 1 is on TESI core middleware. Work package 2 addresses TESI client workstation security. Work package 3 is on the security of the TESI Internet servers, and Work Package 4 is on the dissemination through trials and open sourcing of the TESI middleware. Further information is available from their Web site at http://www.tesiconsortium.org
Ian Lloyd gave a short presentation (see slides) on the work in the Trusted Infrastructure in Europe (TIE) project. The Open Group is providing facilitation services as well as doing the work on standards research. TIE has 8 work packages. It is due to close in July 2001, and we are now well into the final Phase 3 of the project. The conclusions to date are that application interoperability is not easy, and 5 main inhibitors have been identified. These inhibitors are concerned with interoperability, the end user, the infrastructure, registration issues, legal liability, and legal recognition. His slides give more detail on each of these inhibitors. In summary, Ian noted that interesting conclusions have emerged and will almost certainly provide good pointers for the directions that future work should take.
Robert Carolina gave a presentation (see slides) that characterised the legal problems in cross-border interoperability for PKI-based security systems. Certificate Authority liability is the biggest legal challenge so far identified to open PKI - can a CA limit its liability to a third party? Also, what is the responsibility of the CA to a third party? The relevant European Union directive states that by the summer 2001 there must be something in place in each EU country to address liability of CAs to third parties. What happens when a CA, a signatory, and a third party relying, are in different areas of jurisdiction? The EU article 6 recognizes there should be a liability limit of 10,000 Euros, and this does not need to be part of any written contract between the parties involved. After lively debate involving all present, Robert summarised his conclusions, that new laws on cross border recognition issues are relatively weak, and that closed-contract PKI systems may be the best mechanism for rationalizing legal risk in the medium term.
Further discussion ensued after all 6 speakers had concluded their presentations. Specific questions included the following.
Steve Mathews asked what happens if an application provider decides to cut out the Trusted Third Parties, ignores the legal problems and just makes their own closed system. Rob replied that taking this approach does not answer the problem though it is one way to proceed. he foresaw it will then be a matter of time - perhaps years - before a legal claim for damages arises from a failure of trust, at which time the issue will be tested by the applicable legal jurisdiction(s).
Stephanie Perrin noted that since this liability issue is seen as a very difficult legal problem, and so is a big risk in business terms, it would seem that interoperable certificates are unviable as a volume business, so why are we rushing to solve the PKI technical interoperability issues at this time? Robert replied that historically the legal issues have nearly always lagged behind technological innovation, so people continue to accept the risk on the basis that law suits will be resolved eventually, but meanwhile technical innovators in business will go ahead and hope to make money today, and will continue doing so until something causes them to face losing money.
Stephanie Perrin and Frederik Loeckx noted that these technical issues are complicated enough for software technologists to understand, so questioned whether it is reasonable to expect to find that judges and lawyers are able to understand the subject sufficient to produce sensible legal judgements and laws? Robert felt that this is a responsibility of lawyers to present the case clearly - if a bad judgement comes out then he considers the responsibility for failure falls on the lawyers involved. This comes down to a cross-disciplinary issue, and there are numerous examples of practising lawyers who are also expert in specific technology areas.
Juergen Schell asked about SMIME and PGP encryption for providing trust, because they seem to enjoy the trust of the people who use them. It was agreed that trust is greatly helped by personal knowledge and experience of the party who you have a business need to trust, and that the vast majority of trade in the world today is based on this type of personal trust relationship. In a closed environment, it is possible to work on this level, but in an open global trading environment, SMIME and PGP do not satisfy any criterion for adequate open systems trust.
Xavier Criel asked if we believe PKI is as scalable as we really think it is, bearing in mind the numerous significant transactions that each use of a certificate seems to generate? This question raised associated queries on whether use of digital certificates can be handled in a similar way to checking the valid use of a credit card. No authoritative conclusions were offered on this question, though it was agreed that it is an interesting issue.
Dennis Taylor asked if revocation is also a show-stopper for PKI, since we all seem to agree that we have no acceptable interoperable solution for how to make revocation of certificates a working reality at the present time. As in the earlier question on scalability, it is a question for which there appears to be no satisfactory answer at this time. Nevertheless, it is almost certain that business innovators will go ahead despite the lack of adequate security schemes, the only inhibitor being the reality that they will lose money if they continue.
This enthusiastic BoF debate on the PKI Challenge was brought to a close after 110 minutes.