Anders:
Military steps
Some smart-card ID systems have been deployed and
have become defacto
machine-readable ID systems. In the States
much of technology is driven by the
military. This US military has rolled out a
chip-based ID card. This idea is also
gaining traction with health-care delivery systems;
many times operated by a State
government.
State government steps
Some movement is taken place to bolster credentials
for Driving Licenses. After
9-11 there seems more willingness to review and
modify State licensing programs.
Example; the State of Ohio dropped the habit of
issuing a driver's license for four
years to non-resident aliens. Now, your State
of Ohio license expires when your
VISA credentials expire. If your Immigration
and Naturalization Service [INS] non-
resident alien card expires on October 5, 2003; so
will your Driver's license.
I seem more movement in identity consolidation or
identity aggregation at the present.
No one is ready to tackle a large strategic program
like a major roll-out of a new
identity system.
Dave Sweigert
----- Original Message -----
Sent: Friday, February 14, 2003 10:02
AM
Subject: Re: [pki-tc] US e-government
ID-challenge
David,
I think you answered another question, how to
carry your citizen-ID.
Due to [censored lines concerning banks, card
manufacturers and software makers] practically everybody have shelved
their smart card-based PKI ID-programs. But PKI is still alive and well
although only in the form of "soft" certificates. In Scandinavia
millions of on-line bank-customers use such.
But the question was really how e-governments are
supposed to work in the absence of naming-systems aligned to on-line
activity. The Swedish system is based on a unique static citizen code
which is used as a universal "key" in authorities' information systems.
To introduce such schemes in countries like the US, seems impossible as
peoples' trust in governments seem relatively limited.
A counter-measure could be that independent
ID-providers like banks, supported naming-schemes like the
following:
- ID-provider (globally unique id) -
Common Name (of subject) - Client number (static locally unique
id)
Sample ID: "http://www.mybank.com/gid" : "CN=Marion
Anderson, serialNumber=0766864"
This would work as globally unique
pseudo-citizen-codes but without the political problems associated with
huge central registries held by government authorities.
In case some
parties need other information about the subject like social security number,
registered address etc, the client (citizen) can using the very same
certificate, request their bank (using an on-line service), to create a
signed registry file based on other account information.
Anders Rundgren Consultant in PKI and secure
e-business
+46 70 - 627 74 37
----- Original Message -----
Sent: Friday, February 14, 2003
15:26
Subject: Re: [pki-tc] US e-government
ID-challenge
Anders:
I am not sure I understand the
argument.
I worked in Luxembourg for a year attempting to
launch a PKI-based
credit card [see the Providian GetSnart VISA
concept].
It didn't take off because web-access control
systems aren't supporting
user-end use of smart cards. Microsoft
interfaced to smart card readers
with Windows 2000 and how many clients have
implemented smart-
card based authentication in W2K; I bet only a
handful.
My humble thoughts.
David Sweigert, CISSP
----- Original Message -----
Sent: Friday, February 14, 2003 4:04
AM
Subject: [pki-tc] US e-government
ID-challenge
Hi,
This is a very silent list but I give it a
try anyway.
Coming from a country (Sweden) that
established a working national
identity-scheme some 40 years ago, which was with ease "recasted" into PKI, I wonder how countries like the US,
lacking such systems are going to get
e-governments running.
As far as I know, social security numbers as
used in the US are not sufficient as there
are duplicates and many countries do not have identity systems at all, that are aligned to on-line
usage.
Anders Rundgren
Consultant PKI and secure
e-business
|