Security on the Web
Rigo Wenning
OECD Global Forum on Information Systems and Network Security:
Towards a Global Culture of Security
Panel: Global frameworks and standards
Oslo, 14 October 2003
Rigo Wenning <rigo@w3.org>
W3C/ERCIM
Sophia Antipolis, France
The security relationsships
Standards in Communication/Transaction
- XML Signature, XML Encryption, SSL
- OpenPGP, PKCS, SMIME, IPv6, PKIX
- 3DES, RSA, IDEA, CMS, DSA, DSS
Most of the standards are done, but not applied on a large scale
PKI or the secure third channel
- XKMS, X.509v3 Certificates, SSL Certificates
- EESSI-Working Groups @ ICTSB (ETSI & CEN), XAdES
- GnuPG, OpenPGP, S/MIME Certificates
Some things left to do, existing standards not applied on a large
scale
Issues
- Business model
- User Interface !
- Market fragmentation
PKI and the trouble with the business model
User Interface
- Difficult to get the abstract notion of certificate to the user
- Users are a nuisance in the security model of the expert
- predominance of comand-line tools
- using those tools is geeky
Market Fragementation
- Security area is a patent minefield: e.g. Patent on using XML Signature
with Forms
- A lot of formats and versions that don't work with each other
- companies commercial interests prevail over standardization and
interoperability
Trust issues
- Does the technology work like we work? (Web shop vs. Bookstore)
- Making the blackbox visible to the user (e.g. P3P)
- Already questions about a security metadata framework
Thank you very much
- Presentation available
- http://www.w3.org/Talks/2003/10-oecd-oslo/