PKI Labs Conference Call, October 7, 2002

*PKI Labs Conference Call*
October 7, 2002

*Attendees*

Neal McBurnett (convener) - Internet2
Sean Smith - Dartmouth
Eric Norman - Wisconsin
Carl Ellison - Intel
Ben Chinowsky (scribe) - Internet2

*Discussion*

The 2nd Annual PKI Research Workshop now has a web page: http://middleware.internet2.edu/pki03/.

Sean noted that he's going to Zurich for ESORICS 2002 (www.zurich.ibm.com/~gka/Esorics/) to present a paper (www.cs.dartmouth.edu/~sws/papers/esorics02.pdf) on the outbound authentication problem, or "how to design a system that allows diverse relying parties to draw the conclusions they should." Ueli Maurer and David Chaum will also be presenting in Zurich.

Sean is continuing his investigation of security holes in Microsoft Word (www.cs.dartmouth.edu/~sws/word/); he noted that "a central problem of information infrastructures is that the dominant tools are not secure, largely because it's not clear what they're supposed to do in the first place." Sean is interested in exploring the roots of this problem -- is it specific to Microsoft, or is it inherent in mass-market applications, implying that, e.g., StarOffice will have similar issues once it gets big enough? -- and is looking for someone to work with on a paper establishing metrics in this area. Sean's student Kunal Kain recently presented related work (www.cs.dartmouth.edu/~sws/papers/cms02.pdf), and SANS has just published an updated Top 20 list of security vulnerabilities (www.sans.org/top20/#index).

Carl called the group's attention to www.dis.anl.gov/is/IS_PKI.html, which notes the phenomenon of "shelfware": "It is estimated that 50% of PKI product purchases have become "shelfware" or underdeployed because system administrators cannot figure out how to make the products work." The page gives Anish Bhimani's "PKI: Be Careful What You Wish For" as the source of this estimate; Bhimani's article is available at www.infosecuritymag.com/articles/may00/cover.shtml.

Eric noted that he's reviewing a draft document that asks an interesting question about PKI and e-commerce: where are the receipts? Eric suggested that PKI might need to add a third type of assertion, a "statement of satisfaction", to the assertions of identity and assertions of privilege it currently works with. Carl argued that a receipt should instead be seen as "a signed message like any other", and suggested that the reason PKI has not developed receipts is that PKI has not proven to be all that useful for e-commerce. Sean called the group's attention to NetBill (www.netbill.com), an escrow-like scheme that ensures that goods are available to the buyer at the exact same time that the money to pay for them is made available to the seller. Carl noted that CyberCash provides for receipts for payment, but not for receipts of the goods for which payment is being made; he agreed that this needs to be done, and that "simultaneous release of goods and money" is the central issue.

The next call will be November 11 at 4 PM Eastern, as regularly scheduled.