Re: [pki-tc] DHS RFI

[Stephen Wilson <swilson@lockstep.com.au>]

Anders

I think it is fair to say that Asia has embraced both the phone and the 
smartcard.  You're right that they love to use their cell phones for all 
sorts of applications, but nothing I have seen in Asia recently suggests 
they are walking away from smartcards.  Quite the opposite.  In my APKIF 
Trip Report I summarised the smartcard numbers in various Asian countries; 
they're high and rising rapidly. 

As Paul Evans said, the cell phone is not the ideal form factor for 
building access control (not to mention that phones are banned in many 
defence facilities!).  What's your basic objection to accomplishing both 
logical acceess control and building access (photo id card) on the same 
device?  It seems a more natural marriage than trying to do logical access 
control using a phone.  

The deep advantage of cards is that everybody has been trained over the 
decades what to do with them: you pop a card in a reader, type in your 
PIN, and useful service happens.  I advocate retaining the same form 
factor we've used for up to forty years or more in POS, over-the-counter, 
and ATM settings.  I find it hard to imagine that cell phones will take 
over plastic cards in general commerce. 

Microsoft embraced the smartcard.  Smartcards are appearing in the tens of 
millions in national ID, driver licenses, health cards, e-passports as 
well as EMV.  Readers are therefore appearing on PCs steadily.  The 
commoditisation of smartcard readers could be made to increase more 
rapidly if there was greater use of cards on-line.  Remote authentication 
is the driver.  As Bill Burr said in his keynote at the APKIF in Tokyo, 
the smartcard is the only feasible protection against man in the middle 
attacks.  This is what makes PIV so important for logical access control, 
especially remote access. 

And smartcards are technologically ideal for conveying multiple 
credentials, with the ability to manage say a dozen different key pairs.  
Whether PIV or EMV platforms happen to inhibit this today, is a limitation 
imposed by the software, not by the basic crypto platform.  It would be a 
relatively slight matter to get card schemes to open up their 
architectures to allow for car holders to load additional credentials onto 
their multi-application platforms. 

Cheers, 

Stephen. 


Stephen Wilson
Lockstep Consulting Pty Ltd
www.lockstep.com.au
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046
Australia

P +61 (0)414 488 851

--------------------

About Lockstep 
Lockstep was established in early 2004 by noted authentication expert 
Stephen Wilson, to provide independent advice and analysis on cyber 
security policy, strategy, risk management, and identity management.  
Lockstep is also developing unique new smartcard solutions to address 
privacy and identity theft. 
 




> Paul,
> I could easily write10 pages of "information" on this topic which I have
> been involved in since 1996, albeit from a Scandinavian perspective.
> 
> The designers of PIV never did any particularly sophisticated use-case
> analysis.  I, FWIW, have constantly "slaughtered" the idea that a 
physical
> ID-card intended for verification by a human, is suitable for combining
> with electronic, often entirely artificial credentials to be used for 
logical
> access control and digital signatures.  The reason is simple.  Most of
> us have probably seen the picture with two dogs sitting in front of
> a computer.  One dog says to the other dog:
> "On the Internet nobody knows that you are a dog"
> 
> I.e. we are dealing with two entirely different use-cases.
> 
> Due to that there are no form-factor requirement for electronic
> credentials except that it is nice if they fit a standard computer.
> Today that spells USB.  Tomorrow it is probably NFC/Wireless USB
> and NFC/WLAN.  Not due to the needs of the security industry, but
> for transfering multi-media to PCs and performing VoIP to local
> broadbands.  I.e. this stuff will ride on mainstream developments that
> are in high demand.  Card readers are one-function interfaces
> with a currently rather uncertain demand.
> 
> Regarding the mobile phone thing there are so many advantages of
> using such as credential carriers compared to cards that I don't
> think that smart cards will work even for the financial industry.
> That is, I expect EMV to be eclipsed by phones.
> 
> Rationale:
> 
> - Unfortunately we need multiple credentials and issued by
>   different parties.  PIV and its cousins do not address this
>   situation.
> 
> - You may need multiple authentication technlogies for logical access
>    ("may" must be a huge understatement given the current situation)
> 
> - The mobile Internet has been a joke since 1998.  But a decade later
>   it may be the core of many peoples use' of personal IT.  This may be
>   valid for public sector employees s well, including doctors,
>   social workers, and the police.
> 
> - The ability to actually use any 2010 WinTel machine without
>   buying or installing a single thing will make it possible to
>   actually perform really sophisticated stuff wherever you are.
>   PIVs will hardly work outside the federal/state sphere.
> 
> - There are numerous extremely powerful uses that no
>   other technology can support by having a combination of
>   a smart card++, display, browser, keyboard, and
>   wireless.  VISA's 3D Secure is an example of a scheme
>   that a card cannot support in a local shop but a phone can
>   do with ease.
> 
> - NFC/Wireless USB is a perfect replacement of mag strips for
>    physical access control including biometric data.
> 
> You are right that there are cultural issues that may thwart some
> of this.  I though belive that "enablement" is the true door opener.
> 
> Then, of course I would not forget the envy US pople will
> get when they see a BILLION+ of Asians using this really
> cool stuff.  200M EU citizens may also have some influence
> on the future.
> 
> There are other serious issues with the electronic part of PIVs,
> such as affiliation.  That severely limit PIVs applicability
> as well as increasing cost.  This is yet another thing that stems
> from the unfortunate combination of "company badges" and PKI.
> 
> a possibly biased but reasonably honest
> Anders Rundgren
> Developer of mobile security technology
> and member of TrustedComputingGroup
> 
> ----- Original Message -----
> From: "Evans Paul" <evans_paul@bah.com>
> To: "Anders Rundgren" <anders.rundgren@telia.com>; "Arshad 
Noor"<arshad.noor@strongauth.com>; "PKI TC"
> <pki-tc@lists.oasis-open.org>
> Sent: Saturday, June 18, 2005 00:13
> Subject: RE: [pki-tc] DHS RFI
> 
> 
> Anders,
> 
> I suspect that DHS is getting roundly pummeled by the comments coming in
> - we had more that a dozen pages in our own response.
> 
> As for your observations, keep in mind that PIV is much more than PKI.
> It's an identity credential for authentication to both physical and
> logical resources.  The smart card vendors are in high gear to produce
> the cards.  Moreover, Phase I is more about policies and processes - the
> PIV I cards only need to display FIPS 201 topology to conform and don't
> have to include anything electronic.
> 
> You also need to understand the cultural differences here. Even if you
> could use a cell phone for logical access (notwithstanding issuance
> issues), you won't be able to have phones with non-forgeable visual
> attributes that will be acceptable for guards checking credentials for
> entry into a building. I'm having visions of everybody walking around
> federal buildings with cell phones dangling from their necks.
> 
> Further, employee unions and contractors will be highly resistive to
> being required to have a cell phone that conforms to some standard that
> mandates government controlled capabilities on said device unless the
> government actually buys them, issues them and pays for any time usage.
> It would also require the government to buy all new computers that have
> the default hw/sw you believe will be manufactured in (oh, and require
> users and contractors working remotely to upgrade as well).  So tell me,
> which is less expensive? Cell phones and computers for all or a smart
> card and reader?
> 
> Have a good weekend.
> 
> Paul Evans
> - Working for Booz Allen Hamilton but expressing personal opinion in
> this message -
> 
> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@telia.com]
> Sent: Friday, June 17, 2005 5:23 PM
> To: Arshad Noor; PKI TC
> Subject: Re: [pki-tc] DHS RFI
> 
> Arshad,
> 
> I got the impression that they left out PIV/HSPD-12 in the *pilot*.
> 
> That was IMHO a resonable step as there are not enough PIVs out there to
> motivate support of these.
> 
> Due to the unavailability of readers they will soon also have to adapt
> the scheme to One Time Passwords (OTPs) as well, in spite of not even
> being mentioned in the plan.  As they say in the Army:
> When the reality and the map does not not match - Stick to the reality!
> 
> In Sweden, the last PKI-using bank has finally realized that the
> unavailability of WebSign standards and readers is a killer (for
> everybody) and have subsequently introduced "scratch cards".
> 
> A low-tech, fully mobile, but reasonably secure solution that seems to
> catch on.
> 
> Believe me, PIV, GSI and CAC cards will be obsolete the very moment
> Uncle Sam have poured the $BNs needed, as any medium-range mobile phone
> will be able to "dock" to a PC using an NFC/WLAN combo while the mobile
> CPU itself will have full TPM capability.  And all this by using default
> HW + SW.
> 
> It is interesting to note that neither banks or governments have any
> representation in TrustedComptingGroup:
> https://www.trustedcomputinggroup.org/about/members
> 
> Yes, we are obviously talking 2010 here, but this is the actual speed of
> client-side PKI in the US, like it or not.
> 
> For the org-to-org messaging it is still an open question where it is
> going.
> 
> AndersR
> 
> ----- Original Message -----
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "PKI TC" <pki-tc@lists.oasis-open.org>
> Sent: Thursday, June 16, 2005 20:35
> Subject: [pki-tc] DHS RFI
> 
> 
> Here is the RFI that specifically excluded PKI from its
> Identity Management project - shortsighted in my opinion.
> Feel free to let your DHS contacts know of the folly of
> ignoring PKI from its IdMS project.  I've already done
> so.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> 
> 
> ------------------------------------------------------------------------
> --------
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> 

--
<Put email footer here>