[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Germany's NIST standardizes Gateway PKI approach.
E2E = End-to-end
GW = Gateway
Germany's e-Government adopts the GW approach
I just returned from a conference in Hungary called
ISSE 2005 (Information Security Systems Europe) where I presented an
authentication solution on behalf on my employer. Fortunately, I was
also able to attend a presentation by a BSI (the NIST of Germany) delegate,
who presented their gateway approach for e-government transactions and
messaging. The person started with a slide containing the line:
"End-to-end security died even before it even was alive". This was not a
research report but a real system based on a set of new BSI standards, and
coming from the country that more than any other country has been associated
with legally binding signatures, qualified certificates and
similar.
As a contrast it is worth noting that the
government in the US have (so far) concluded that they do
not need a security architecture for interacting with the society at
large. This is a pity, since HSPD-12/PIV does neither
address (in the original text at least), cross-agency messaging nor G2B
messaging, it is rather designed to secure access to federal
resources. The original use-case should work just fine, while the extended
use-case often does not. "How do you send an encrypted message to the tax
department" (which the BSI representative mentioned as an example), is in its
extreme simplicity showing that this is not simply a matter of using smart cards
or not, it is rather a security architecture issue. For those who are
not heavy into the US FPKI, the problem is that there is no concept of
department or organization in that model, only employees. The BSI
question also indicates that there are privacy issues that are not
particularly well addressed by the E2E model (while definitely by its
challenger, the gateway).
The way ahead?
The extreme positions taken by different "PKI
theologists", have so far created a huge gap benefiting nobody. It is
however, indeed possible combining these two diverging paths
creating a very potent, economical and extensible security
architecture.
Anders Rundgren
Located in the EU, working for a major US computer security
company, but here only representing
myself. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]