"Peter Tomlinson" <[EMAIL PROTECTED]> wrote: >Isn't it time to move from signing in a totally insecure software >environment (as are most PCs in the world)?
The problem is that the card has no display. To rely on the broad acceptance of FINREAD is essentially equivalent to holding back e-goverment services for some 10 years or so. I do believe that it is possible to protect the OS in a shorter timeframe than that. In the mean-time we have to live with what we got at hand. To perform crypto inside the card is of course both possible and definitely a part of my plot. (although the "card" will in my view be an integral part of a mobile device rather than a credit-card-sized thing) My request for a standards effort has been acknowledged by DoD, Boeing, RSA, and Microsoft so there might be something even in the works before year-end. >CEN/ISSS signature CWAs have been listed in the >Offical Journal as officially recognised specifications - > but they relate to signing with smart cards (and there IS >work being done on secure terminal devices to handle >both the online transaction and the hashing before signing >with the smart card). Talking about CEN/ISSS, the following may be of interest... ----- Original Message ----- From: "Ketchell John" <[EMAIL PROTECTED]> To: "Anders Rundgren" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, October 30, 2003 11:37 Subject: RE: Final report of the e-invoicing Focus Group Anders Let's do this in Europe, in CEN/ISSS... Despite the scepticism that is sometimes expressed about our limited European efforts, I think we are beginning to find understanding that the much-vaunted global consortia do not get their act together enough. Either they too are populated by nerds, or by IPR lawyers arguing amongst themselves. The end-user and the European voice are often non-existent. In private at least, many IT vendor companies are sharing this view - the cost to them of the "system" at a time of recession is too great. If we can get a reasonable critical mass of market players together, including obviously some public authorities, all we need is a Business Plan for the activity, and some funding - we're a lot cheaper than consortia anyway. We can work as quickly as consortia do (sometimes quicker) and THEN project the results at global level wherever is necessary. As one current example, we just started a much-needed e-business classification project with the full support of all the main global players in this domain. Over to you. Best regards John Ketchell Director, CEN/ISSS - Information Society Standardization System URL:http://www.cenorm.be/isss Rue de Stassart, 36 B-1050 Brussels Belgium email (direct) [EMAIL PROTECTED] email (secretariat) [EMAIL PROTECTED] Tel (direct) + 32 2 550 08 46 Tel (secretariat) + 32 2 550 08 13 Fax + 32 2 550 09 66 Tel (GSM) +32 475 594 828 -----Original Message----- From: einvoicing List ISSS - CENORM created 22 October 2002 [mailto:[EMAIL PROTECTED] On Behalf Of Anders Rundgren Sent: Wednesday, October 29, 2003 9:59 AM To: [EMAIL PROTECTED] Subject: Re: Final report of the e-invoicing Focus Group When talking about "signed" invoices, I could not resist copying the results gathered from the IETF-PKIX, IETF-SMIME, and the OASIS PKI-TC lists regarding the current state of standards in this area: ===================================================== There are apparently no standards and nothing in the works either with respect to signing on-line data on the web using Internet browsers. ===================================================== Since web-signing is today [*] used by many, many, more people and organizations than there are users of signed e-email, I remain puzzled. Is the PKI community really just a bunch of "nerds", mostly out of touch with the needs of the market? And what good is a legal framework like the EU signature directive, intended to address "legal interoperability" if there is no interoperability in the technical solutions? "The truth is [still] out there" to travesty a famous TV series. However, my request spurred quite a lot of interest, so I believe that web- signing really is a thing that finally will be standardized. The question is more by who, as the major interest is really coming from the public sector, not from commercial entities like banks, that rather protect their investments in proprietary solutions. I personally plan to pusue such a task in W3C or in OASIS in case somebody is interested. *] Like Scandinavian banks having > 0.5M of users. All current systems rely on entirely proprietary mechanisms. Most of the vendors even require NDAs for getting the documentation. Anders Rundgren _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
