OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

kmip-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Bootstrapping Mobile Phone Credentials using PIV/CAC/eID

If your organization is using smart cards for login and access control and you would like to maintain the same security level in the mobile device fleet, you are in for big problems because the mobile phone industry haven't done very much in general in this space except for telecom operators and SIM-cards.   In theory SIM-cards could be an excellent choice but they are usually locked-down by the operator and also come in rather different flavors where only a fraction support PKI.
Some vendors have therefore come up with counter-measures like:
Although these solutions work, they add a sizable cost ($200+) and inconvenience as well as being non-standard.

Another solution which is piloted by the Swedish Police, is to use the existing PIV/CAC/eID cards to "enroll" mobile devices (from a PC), which should be on par with the original credentials with respect to user-identity assurance.  This can be done by the end-user itself using an OTA-credential-bootstrap mechanism.
Due to the absence of any standards for on-line provisioning of credentials the described system is proprietary.
Will OASIS's KMIP change this?  I don't see how; I can't even figure out if this use-case is in-scope based on the current charter.  IMHO a scheme like above should in order to be generally applicable, use a provisioning system that can be invoked by a clickable URL delivered in an SMS or e-mail.  The URL replaces the need for awkward enrollment user-ID/password distribution since it is generated from the PIV/CAC/eID-based enrollment request.  What's lacking is secure method for binding the device to this authentication.  The most reasonable method appears to be device certificates.  Device certificates could also be used for bootstrapping MDM (Mobile Device Management) systems since these also suffer from clunky, unsecure, and error-prone authentication schemes.
Anders Rundgren

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]