Anders wrote:
> When any of you guys have made a *public* write-up on how you
> would address the [related] issues mentioned on p.2 in this document
> http://webpki.org/papers/web/A.R.AppliedPKI-Lesson-1.pdf
> you are ready for the real discussion.
1. How is the purchaser (P) going to select and acquire a suitable Order
Receiver (OR) encryption certificate from the selling organization?
* out of scope, intro needs to be done at business level, probably after
credit checks.
* assumes OR is a person, likely bad assumption
2. How is the buying organization’s Purchasing System Server (PSS) able
to perform its logging, authorization, and control tasks if purchase
orders already have been encrypted by the Purchaser using a public key
from an external selling organization?
* my first thought is to drop the p2p pk encryption and use a secure
network.
* second thought, the secure network possibly has an interest in the
settlement.
* OK, so I see the need for additional routing, multiparty-recipient PK
encryption, and 2nd party auth
* 2nd party auth is easy: 1st party prepares the order, 2nd pays it.
* ("easy" means, when you have already solved the problem!)
* which means that p2p encryption can happen on PSS -> OR
3. How is the selling organization’s Order System Server (OSS) supposed
to decipher and validate incoming orders if they are encrypted by a
public key of a specific Order Receiver (ORn) employee? In case the
designated OR is unavailable, how is OSS going to be able to delegate
order handling to another OR?
* bad assumption, the OR shouldn't be an employee, it is a business and
departmental process.
4. How are different Order Receivers (ORs) supposed to cooperate if they
cannot see each others’ tasks? Are the particular Order Receiver and
Purchaser also the natural entities for handling associated invoices?
* ditto, they should have a shared corporate OR account
* don't these guys know how a telex machine works?
> I know that there is not a single person on this planet who can :-)
Bad assumption, some are more than one person ;)
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
