PKIhttp://www.oasis-open.orghttp://www.oasis-pki.org
  About PKI Forum PKI Members Join PKI Forum PKI News PKI Events OASIS Members Only http://xml.coverpages.org http://www.xml.org  

PKI
PKI
 About
 Join
 Governance
 Members

PKI Resources
 Resources
 White Papers
 FAQ

Technical Process
 IPR Policy
 TC Process

Technical Committees
 Current TC List
 PKI

OASIS Network
 OASIS
 CGM Open
 DCML
 ebXML
 LegalXML
 UDDI

OASIS Info Channels
 Cover Pages
 XML.org
 Sponsorship

PKI Home / White Papers /

White Papers


 Introductions to Public Key Security and PKI
 Glossaries
 Fundamentals in Authentication and Identity Management
 Assorted PKI Business Issues
 Vertical Industry Experiences
 Contemporary PKI Strategy
 Implementation Guidelines
 Assorted PKI Technology Topics
 PKI Governance and Legal Issues
 International Experience and Developments

Introductions to Public Key Security and PKI

Back to Top
PKI Basics - A business perspective - An original PKI Forum introduction BENEFITS APP
Public Key Cryptography Demystified - Robert J. Brentrup, Campus Technology May 2003 BENEFITS APP
DoD PKI and Public Key-Enabling FAQ - May 2004
RSA Labs Crypto FAQ
ABA Digital Signatures Tutorial - American Bar Association

Glossaries

Back to Top
RSA Laboratories Cryptography Glossary
Lynne Wheeler's Glossary

Fundamentals in Authentication and Identity Management

Back to Top
The Identification Process Deconstructed - July 2003 NIST Smart Card Workshop

Assorted PKI Business Issues

Back to Top
PKI and Financial Return on Investmen UPDATED - The updated Oasis PKI TC white paper January 2005 ROI
ROI for PKI investment - Verisign and Blue Bridge Feb 2002. Includes a particularly good, detailed examination of digital signature applications. ROI APPS
PKI and Financial Return on Investment - An original PKI Forum white paper August 2003 ROI

Vertical Industry Experiences

Back to Top
Government Service Delivery
The United States Patent and Trademark Office - An Entrust Success Story BENEFITS ROI APPS
FDIC deploys smart cards and PKI - BENEFITS ROI APPS
An Overview of Public Key Certificate Support for Canada's Government On-Line - Mike Just, Treasury Board of Canada, 2003, presented to the 2nd Annual PKI Research Workshop
Healthcare
Smart Patient Data - Case study report from a part government funded R&D project. Smart Patient Data is a simple, user friendly and secure system that uses Public Key Infrastructure and secure tokens to access records and share patient summaries over the Internet. BENEFITS APPS
Business Planning for Healthcare Enterprise PKI - BENEFITS ROI APPS
US Healthcare PKI Note - An original PKI Forum white paper, March 2001
EDUCAUSE - NIH PKI Interoperability Pilot Project - Peter Alterman et al 2002
21 CFR Part 11 Electronic Records; Electronic Signatures - Food & Drug Administration
PKI Concerns In Healthcare Settings - Kaiser Permanente, 2000
PKI in Healthcare: Recommendations and Guidelines - Table of Contents, 2000 - The full report can be downloaded in sections from download
See also the Tunitas Group's Perspectives on Information Technology for the Health Care Industry at health PKI.
Financial Services
BACSTEL-IP Secure Payment Submission Case Study - One of the largest banking sector PKIs to date.
Success Story: BACS
Delegated Certificate Services White Paper - Hypovereinsbank, a member of Identrus. BENEFITS APPS
Royal Bank of Scotland Identrus Case Study
Prudential / British Telecom Managed PKI Case Study - 2002
PKI at Work - Baltimore Technologies presentation to Hong Kong PKI Forum 2003 BENEFITS ROI APPS
A milestone for the financial services security - Cert Extensions
Issue Paper: PKI, Digital Signature and eMortgages - Mortgage Bankers Association of America Feb 2003 BENEFITS RISK APPS
Education
PKI: A Technology Whose Time Has Come in Higher Education - Peter Alterman EDUCAUSE July 2004 BENEFITS RISKS

Contemporary PKI Strategy

Back to Top
PKIX Standards Status & PKI Directions - Dr. Stephen Kent 3rd International Symposium of the Asia PKI Forum, Korea, 2003 An excellent commentary on alternate PKI models, and the unnecessary complication of "trust" in many PKI applications. BENEFITS APPS
Challenges to PKI Development - Dr. Stephen Kent 4th International Symposium of the Asia PKI Forum, China, 2004 Another excellent exposition of the problems faced by traditional single TTP large scale CAs BENEFITS RISK APPS
PKI Position Statement of the Australian Security Industry - Nov 2003 Australian IT Security Forum BENEFITS RISK APPS

Implementation Guidelines

Back to Top
See also PKI Technical Standards.
Policy or Compliance Related Guidelines
PKI Policy Note - An original PKI Forum white paper describing the important policy elements of a PKI, such as the CP and CPS, and explaining why policy is such an important topic.
Guidance on Implementing the ESIGN Act - Office of Management and Budget 2000
Records Management Guidance for Agencies Implementing E-Signatures - National Archives & Records Administration
Project Management Guidelines
PKI Workshop Summary and Recommendations - Burton Group 2002. The Burton Group was retained by Cornell University to conduct a workshop into Cornell's enterprise PKI requirements and develop a set of recommendations. RISK APPS
Technology Guidelines
See also PKI Technical Standards.
Web Page Access Control Using PKI - Dartmouth PKI Labs 2004
Using a Non-Microsoft CA with Smartcard Logon - Dartmouth College PKI Lab Oct 2004
Using PKI Authentication with Shibboleth - Dartmouth College PKI Lab 2003
PKI Basics - A Technical Perspective - An original PKI Forum white paper
FIPS 140-1 and FIPS 140-2 Cryptographic Modules Validation List - BENEFITS APPS
Password security and entropy - NIST E-Authentication Technical Guidance 2004 APPS
Understanding Certification Path Construction - An original PKI Forum white paper, September 2002
Authority Key Identifier & Subject Key Identifier Guideline - An original PKI Forum white paper, September 2002
Applied PKI - Lesson 1 - A 'synthetic' case study implementing a purchasing system. RISK APPS
Applied PKI - Lesson 2 - A continuation of the above 'synthetic' case study examining issues of message versus transport level encryption, and fat client vs thin client. RISK APPS
Advanced Engineering Resources
Implementation Guidance for FIPS PUB 140-2 and Crypto Module Validation Program
Special Publication 800-21: Guideline for Implementing Cryptography in the Federal Government
The Open-source PKI Book - A guide to PKIs and Open-source Implementations
Ipsec Resources - Hervé Schauer Consultants (a French company specialising in information security, closely involved with Ipsec developments)
OpenSSL Project Home Page
OpenSSL PKCS#12 FAQ
Net::SSLeay.pm Home Page
SSLeay FAQ - Note: last updated 1998.
Patches for SSLeay
SSLeay Documentation - Note: last updated 1999.
S/MIME Freeware Library
MD5 online hash calculator - Type data into a dialog box, and the hash is computed online
Cryptography Papers of Special Interest in Practical PKI
Hash Functions Implications - November 2004 Recent cryptanalytic results have raised concerns regarding currently popular hash algorithms; this NIST presentation outlines the practical implications. Concludes that MD5 must no longer be used, but that SHA-1 continues to be safe.

Assorted PKI Technology Topics

Back to Top
Asymmetric Cryptography - Public Key Authentication - APEC E-Security Task Group, 2001
Making Sense of your Authentication Options in e-Business - Stephen Wilson, Journal of the PricewaterhouseCoopers Cryptographic Centre of Excellence, October 2001 A comprehensive comparison of PKI (in various forms) against all other authentication technologies, with rankings of various attributes, including ease of use, availability, cryptographic properties, and resistance to theft. BENEFITS RISK APPS
Product Specific guidelines
Best Practices for Implementing a Microsoft Windows Server 2003 PKI - APPS
Using Oracle/IAS with PKI - Dartmouth PKI Labs
Setting up the Cisco VPN 3000 Concentrator for PKI Authentication - Dartmouth PKI Labs
Smartcards and PKI
Business Case for PKI on smartcards - "Approach for Business case analysis of using PKI on smart cards for Government-wide applications" by the CIO PKI/Smartcard Project, April 2001 BENEFITS RISK ROI APPS
US Government Smart Card Handbook - US General Services Administration BENEFITS APPS
Smart Cards - An original PKI Forum white paper, April 2002 BENEFITS APPS
Biometrics and PKI
Biometrics PKI Note - APPS
Will Biometrics Obsolete PKI? A Special Report - June 2001 American Bar Association, Bulletin of Law/Science & Technology. This short paper discusses unique properties of PKI not provided by biometrics, including the ability to revoke when compromised, persistent signatures, and the ability to build open authentication systems. BENEFITS RISK
Wireless PKI
Current Development of Wireless PKI in Chinese Taipei
Miscellaneous Applications
A Wearable PKI

PKI Governance and Legal Issues

Back to Top
Governance Principles
PKI Position Statement of the Australian Security Industry - Australian IT Security Forum November 2003. Discusses practical experience of PKI demand drivers, "killer applications", and the implications for PKI governance and interoperability. BENEFITS RISK APPS
Electronic Authentication: Issues Relating to Its Selection and Use - 2002 A major publication of the APEC eSecurity Task Group, canvassing all major policy, compliance, implementation and even cultural issues of electronic authentication across the Asia Pacific and the Americas. BENEFITS RISK
Advances and Remaining Challenges to Adoption of PKI - United States General Accounting Office Feb 2001 RISK APPS
Audit based public key infrastructure - Certification Forum of Australia November 2000. This paper details a new approach to building large, decentralised and flexible PKIs, using existing international systems for standards conformance accreditation. RISK APPS
OECD Security Guidelines - Organisation for Economic Co-operation and Development's Guidelines for the Security of Information Systems and Networks: Towards a culture of security 6 August 2002 BENEFITS RISK
Interoperability and Recognition
PAA PKI Cross Border Interoperability - The Pan Asian E-Commerce Alliance Mutual Recognition Scheme BENEFITS APPS
Download - "Guidelines for Schemes To Issue Certificates Capable of Being Used in Cross Jurisdiction eCommerce" APEC eSecurity Task Group September 2004 RISK
International Harmonization of Policy Requirements for CAs issuing Certificates - This Technical Report presents the results of ongoing work to harmonize existing European electronic signature technical specification on policy requirements for CAs with other internationally recognized standards and related activities.
EDUCAUSE - NIH PKI Interoperability Pilot Project - Peter Alterman et al 2002. A paper presented to the 1st Annual PKI Research Workshop at Dartmouth College April 2002 APPS
EDUCAUSE PKI Interoperability Project - Electronic Grant Application With Multiple Digital Signatures, Peter Alterman 2002 APPS
PKI Interoperability Framework White Paper
CA-CA Interoperability White Paper
Leveraging external accreditation to achieve PKI cross-recognition - Stephen Wilson, paper presented to the Attorney Generals Privacy & Security Conference, Melbourne 2001 BENEFITS RISK APPS
Achieving PKI Interoperability - Japan, Korea and Singapore - APEC eSecurity Task Group, March 2002
Regulatory and Legislative Issues
See also the collection of links to state, federal and international electronic signature laws below.

PKI Assessment Guidelines (PAG) American Bar Association Information Security Committee:

Privacy and PKI - "Guidelines for Agencies using PKI to communicate or transact with individuals" by the Office of the Federal Privacy Commissioner (Australia) Includes a rich set of recommendations relevant to any jurisdiction with an OECD-style privacy regime, including Europe and the US. RISK
Analysis of International Electronic and Digital Signature Initiatives - Report prepared for the Internet Law & Policy Forum (ILPF) September, 2000 RISK
Electronic Signature Legislation as a Vehicle for Advancing E-commerce - An extract from the article "Moving With Change: Electronic Signature Legislation as a Vehicle for Advancing E-commerce" in The John Marshall Journal of Computer and Information Law , Vol. XVII, No. 3, Spring 1999
UNCITRAL e-contracting - "Legal aspects of electronic commerce - Electronic contracting: Provisions for a Draft Convention" 20 September 2001
OECD Authentication Survey - "Summary of Responses to the Survey of Legal and Policy Frameworks for Electronic Authentication Services and E-Signatures in OECD Member Countries" Organisation for Economic Cooperation and Development 3 August 2004
Legal aspects of electronic commerce - A summary of the European Parliamentary Directive on e-commerce. August 2003
What Governors Need to Know About E-SIGN - National Governors Association, 2000
Survey of State Electronic & Digital Signature Laws - Internet Law & Policy Foundation (somewhat out of date now).

International Experience and Developments

Back to Top
PKI Lessons from Australia - Australian IT Security Forum presentation to World eBusiness Forum, Geneva, Dec 2003 BENEFITS APPS
PKI Activities in Chinese Taipei - Presentation to APEC TEL eSecurity Task Group March 2004
Consolidated Mapping of PKI Schemes Part 1 - APEC eSecurity Task Group 2003
Consolidated Mapping of PKI Schemes Part 2 - APEC eSecurity Task Group 2003
APEC CA survey 2002 - "Survey of Legislative/Legal Framework, Certificate Policies and Certification Practices of Recognised/Accredited/Licensed Certification Authorities in APEC member economies" APEC eSecurity Task Group, August 2002 RISK APPS
Final report on legal issues in cross-border e-commerce - Evelyn Ong, PKI Forum Singapore, 3rd International Symposium of the Asia PKI Forum, 2003 RISK
        
 

ABOUT | MEMBERS | JOIN | NEWS | EVENTS | TECH PROCESS | TECH COMMITTEES | OASIS NETWORK

Copyright © OASIS Open 2006. All rights reserved.