OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

egov message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Germany's NIST standardizes Gateway PKI approach.

E2E = End-to-end
GW = Gateway
 
Germany's e-Government adopts the GW approach
I just returned from a conference in Hungary called ISSE 2005 (Information Security Systems Europe) where I presented an authentication solution on behalf on my employer.  Fortunately, I was also able to attend a presentation by a BSI (the NIST of Germany) delegate, who presented their gateway approach for e-government transactions and messaging.  The person started with a slide containing the line: "End-to-end security died even before it even was alive".  This was not a research report but a real system based on a set of new BSI standards, and coming from the country that more than any other country has been associated with legally binding signatures, qualified certificates and similar.
 
As a contrast it is worth noting that the government in the US have (so far) concluded that they do not need a security architecture for interacting with the society at large.  This is a pity, since HSPD-12/PIV does neither address (in the original text at least), cross-agency messaging nor G2B messaging, it is rather designed to secure access to federal resources.  The original use-case should work just fine, while the extended use-case often does not.  "How do you send an encrypted message to the tax department" (which the BSI representative mentioned as an example), is in its extreme simplicity showing that this is not simply a matter of using smart cards or not, it is rather a security architecture issue.  For those who are not heavy into the US FPKI, the problem is that there is no concept of department or organization in that model, only employees.  The BSI question also indicates that there are privacy issues that are not particularly well addressed by the E2E model (while definitely by its challenger, the gateway).
 
The way ahead?
The extreme positions taken by different "PKI theologists", have so far created a huge gap benefiting nobody.  It is however, indeed possible combining these two diverging paths creating a very potent, economical and extensible security architecture.
 
Anders Rundgren
Located in the EU, working for a major US computer security company, but here only representing myself.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]