invoicing with PKI

Ian Grigg iang at systemics.com
Mon Sep 1 12:23:28 EDT 2003 

(Things seem quiet on the crypto front, here's a late reply.)

Hadmut Danisch wrote:
> 
> Hi,
> 
> On Thu, Jul 17, 2003 at 04:27:52PM -0400, Ian Grigg wrote:
> > Does anyone know any instances of invoicing and
> > contracting systems that use PKI and digital orders?
> >
> > That is, purchasing departments and selling departments
> > communicating with digitally signed contracts, purchase
> > orders, delivery confirmations and so forth.
> >
> > And, the normal skeptical followup question, do they
> > work, in the sense of delivering ROI, or are they just
> > hopeful trials?
> >
> 
> Beyond invoicing/contracting, which applications of PKI
> in e-business or related areas are there anyway?

The dream of PKI seems to revolve around these major areas:

  1.  invoicing, contracting - no known instances
  2.  authentication and authorisation - SSL client
      side certs deployed within organisations.
  3.  payments
  4.  channel security (SSL)
  5.  email (OpenPGP, S/MIME)

In terms of actual deployed PKIs, the only significant
cases that I know of, deployed outside of organisations
and in widespread use are:

   HTTPS (141k, see below), and
   OpenPGP ("millions" says PGP Inc, so let's call it 100k or so).

I suspect the widest use of public key crypto in a
non-PKI context would be SSH, which opportunistically
generates keys rather than invite the user to fund
a PKI.  According to this page [1], there may or may
not be 2,400k SSH servers, but it's unclear whether
that is the sample size or the sites found.

> (except
> for the standard tools SSL, X.509,...)

(Right, tools, not applications.)

> Is there a survey of where in e-business cryptography
> is actually being used between customers and providers?

There are specific things like www.securityspace.com and
www.netcraft.com (costs money for what securityspace gives
for free).  Of these, start at [2].

(Which shows the penetration of SSL in websites has risen
from about 1% to 1.2% since the beginning of the year.
Although, there are now new figures on there that show
that only 31% of the 141k found are "valid" / self-signed
certs.)

In terms of other uses of PKI, outside HTTPS, I don't
know any regular surveys.  I imagine it would be too
depressing to conduct more than once :)

> How many shops do use SET for payment?

Is SET still alive?  Available?  The crypto-based payments
field appears to be quiet at the moment (e.g., payments
that are not done over HTTPS).

About the only thing that I know of (other than own stuff)
is peppercoin which seems to be a DRM micropayments play.
Poking around on the website, it appears to be a crypto
download microtoken billing method, that is aggregated
onto credit cards or bank accounts [3].  IOW, a grab bag
of payments techniques that appears blithely ignorant of
the last decade in digital payments.

iang

[1] http://www.openssh.com/usage/ssh-stats.html

[2] http://www.securityspace.com/s_survey/sdata/200308/domain.html
[3] http://www.peppercoin.com/General/FAQAnswerPage.ppp?keyID=helpfaq/faqs/AboutPeppercoin&topicIndex=16

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list