[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Bootstrapping Mobile Phone Credentials using PIV/CAC/eID
If your organization is
using smart cards for login and access control and you would like to maintain
the same security level in the mobile device fleet, you are in for big problems
because the mobile phone industry haven't done very much in general in this
space except for telecom operators and SIM-cards. In theory
SIM-cards could be an excellent choice but they are usually locked-down by the
operator and also come in rather different flavors where only a fraction support
PKI.
Some vendors have therefore come up with
counter-measures like:
http://www.trustdigital.com/downloads/TD_EMM_CAC_Pack_101008.pdf
http://na.blackberry.com/eng/ataglance/security/products/smartcardreader Although these solutions work, they add a sizable cost ($200+) and
inconvenience as well as being non-standard.
Another solution which is piloted by the Swedish Police, is to use the existing PIV/CAC/eID cards to "enroll" mobile devices (from a PC), which should be on par with the original credentials with respect to user-identity assurance. This can be done by the end-user itself using an OTA-credential-bootstrap mechanism. Due to the absence of any standards for on-line provisioning of credentials
the described system is proprietary.
Will OASIS's KMIP change this? I don't see how; I can't even
figure out if this use-case is in-scope based on the current charter.
IMHO a scheme like above should in order to be generally applicable, use a
provisioning system that can be invoked by a clickable URL
delivered in an SMS or e-mail. The URL replaces the need for awkward
enrollment user-ID/password distribution since it is generated from the
PIV/CAC/eID-based enrollment request. What's lacking is secure method for
binding the device to this authentication. The most reasonable method
appears to be device certificates. Device certificates could also be used
for bootstrapping MDM (Mobile Device Management) systems since these also suffer
from clunky, unsecure, and error-prone authentication schemes.
Anders Rundgren |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]