Re: [pki-tc] US e-government ID-challenge

[Anders Rundgren <anders.rundgren@telia.com>]

David,

I think you answered another question, how to carry your citizen-ID.

 

Due to [censored lines concerning banks, card manufacturers and software makers] practically everybody have shelved their smart card-based PKI ID-programs.  But PKI is still alive and well although only in the form of "soft" certificates.  In Scandinavia millions of on-line bank-customers use such.

 

But the question was really how e-governments are supposed to work in the absence of naming-systems aligned to on-line activity.  The Swedish system is based on a unique static citizen code which is used as a universal "key" in authorities' information systems.  To introduce such schemes in countries like the US, seems impossible as peoples' trust in governments seem relatively limited.

 

A counter-measure could be that independent ID-providers like banks, supported naming-schemes like the following:

 

- ID-provider (globally unique id)
- Common Name (of subject)
- Client number (static locally unique id)

Sample ID: "http://www.mybank.com/gid" : "CN=Marion Anderson, serialNumber=0766864"

This would work as globally unique pseudo-citizen-codes but without the political problems associated with huge central registries held by government authorities.

In case some parties need other information about the subject like social security number, registered address etc, the client (citizen) can using the very same certificate, request their bank (using an on-line service), to create a signed registry file based on other account information.

 

Anders Rundgren
Consultant in PKI and secure e-business

+46 70 - 627 74 37

 

----- Original Message -----

From: David Sweigert

To: Anders Rundgren ; pki-tc@lists.oasis-open.org

Cc: egov@lists.oasis-open.org

Sent: Friday, February 14, 2003 15:26

Subject: Re: [pki-tc] US e-government ID-challenge

Anders:

 

I am not sure I understand the argument.

 

I worked in Luxembourg for a year attempting to launch a PKI-based

credit card [see the Providian GetSnart VISA concept]. 

 

It didn't take off because web-access control systems aren't supporting

user-end use of smart cards.  Microsoft interfaced to smart card readers

with Windows 2000 and how many clients have implemented smart-

card based authentication in W2K; I bet only a handful.

 

My humble thoughts.

 

David Sweigert, CISSP

----- Original Message -----

From: Anders Rundgren

To: pki-tc@lists.oasis-open.org

Cc: egov@lists.oasis-open.org

Sent: Friday, February 14, 2003 4:04 AM

Subject: [pki-tc] US e-government ID-challenge

Hi,

This is a very silent list but I give it a try anyway.

 

Coming from a country (Sweden) that established a working national identity-scheme some 40 years ago, which was with ease "recasted" into PKI, I wonder how countries like the US, lacking such systems are going to get e-governments running.

 

As far as I know, social security numbers as used in the US are not sufficient as there are duplicates and many countries do not have identity systems at all, that are aligned to on-line usage.

 

Anders Rundgren

Consultant PKI and secure e-business