|Subject:||Re: [egov] Authentication to e-Government services|
|From:||David RR Webber (dav...@drrw.info)|
|Date:||Nov 2, 2003 7:26:24 am|
Has any effort been done to develop an EU standard?
Maybe a joint research project between EU, NIST and NTT would be the way to go on this?
----- Original Message ----- From: "Anders Rundgren" <ande...@telia.com> To: <eg...@lists.oasis-open.org> Sent: Sunday, November 02, 2003 6:34 AM Subject: [egov] Authentication to e-Government services
As authentication of citizens is a primary function of most e-Government systems, I thought that the following might be of some interest.
Web (browser) PKI Standards - A study
I have on behalf of a client, taken the liberty to investigate the state of client-side PKI support in web-browsers with respect to standards and interoperability. There were several reasons for performing this study, and a major such was that we have found that none of the pretty large Nordic e-government initiatives and on-line banks, actually use the browsers' built-in client-side PKI mechanisms at all, most of them rather rely on Java applets developed by various ISVs. The reason for this is very obvious:
============================================= Practically every piece of client-side Web-PKI, ranging from on-line certification support to on-line (web-form) signing, is currently entirely vendor-dependent =============================================
Some people point to Microsoft and Netscape and maintain that this situation is "their fault". I believe this explanation is far too simplistic. Here is another analysis for what it is worth:
1) The SW industry supplying basic technology such as operating systems and browsers, is entirely dominated by US companies. However, the US is also severely lagging with respect to the usage of PKI which probably is taken as a sign by these SW vendors that "there is no market for PKI".
2) The financial sector in Europe and Asia were the first to take advantage of large-scale usage of client-side PKI and digital signatures. However, the very same financial sector has also demonstrated marginal interest in participating in the development of standards that "anybody" could use.
3) The public sector is the second largest user of PKI (here again looking at Europe and Asia), but seems generally lacking a "voice" in the few organizations that actually "set the standards". It is rather the opposite, the public sector appears to be heavily dependent on external consultants that usually also have strong ties to certain vendors and their working, but unfortunately mostly proprietary solutions.
Assuming that there will be billions of users of Web-PKI in a few years from now (here adding the crowd likely to use "The Mobile Internet"), it seems that there are quite a few things that need to be fixed.
Regards Anders Rundgren Independent Consultant, PKI and e-business + 46 70 627 74 37 (on CET)
To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/egov/members/leave_workgroup.php.