OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pki-tc] Fw: SV: Article of Le Monde.fr / Hans Nilsson

Here are some comments to the article.
PTDs vs. Smart Cards: The battle has begun

PTD = Personal Trusted Device (usually in the form of a mobile phone)

The smart card manufacturers have had ample of time to establish a (de-facto) standard PKI card.  But they have not.  Instead they are engaged in never ending standards wars making OS support cumbersome and expensive.

In another camp people have been toiling with PTDs for years without much success.  One of the stumbling blocks has been where to keep private keys etc.  The SIM-card (which only applies to GSM) has been thought as an appropriate place but it suffers from a serious limitation:  It is "owned" by an operator.  But a user is likely to need certificates from multiple independent "operators" (issuers).

In addition there is a need to improve the security in the entire mobile computing platform.

Apparently a remedy will relatively soon come to the world consisting of billions of (for the users) precious mobile phones:

PTDs compared to smart cards, are likely to reduce the complexity of integration with Windows, Linux and Mac OSes as the "reader" is replaced by Bluetooth/WI-FI and the cryptographic operations are high-level dittos.

Do PTDs have usage advantages over smart cards?  Absolutely.  The main "ingredient" making PTDs potentially extremely versatile and secure, is the fact that user keys are controlled by a trusted device containing an Internet browser, a powerful CPU, lots of memory, a keyboard, and supporting a wide range of connectivity options.  This should be compared to inserting a smart card into an unknown slot running unknown software on a computer that the user may not be in charge of.  A PTD platform among many things, opens the door to convenient uses of "indirection" like featured in VISA's 3D Secure and in the Liberty Alliance authentication framework.  That the very same device can be used in three completely different situations also helps:
  • Remote (connected over GSM/GPRS/3G/WLAN)
  • Slave (connected to a user's desktop computer)
  • Local (ad-hoc connected to POS terminals etc
I believe the moment has come to start establishing PTD platforms using SW-based security that will be easy to migrate to use HW-based security in 3-4 years from now.

Anders Rundgren
Consultant, PKI and secure e-business

----- Original Message -----
Sent: Thursday, May 29, 2003 11:59
Subject: [pki-tc] Fw: SV: Article of Le Monde.fr / Hans Nilsson

----- Original Message -----
Sent: Saturday, May 31, 2003 3:10 PM
Subject: Re: SV: Article of Le Monde.fr / Hans Nilsson

On behalf of the Dutch government PKI taskforce I am right now looking
into the interoperability (or better mobility) issues related to the use
of different smartcards on diferent card accepting points (reader +
drivers + middleware). If this issues can not be resolved, we are not
going to be able to roll out any kind of generic purpose smartcard be it
a PKI card or other, We can not live with a single-type/vendor-for-all

We know of a (=ONE) vendor of middleware that supports multiple cards on
multiple platforms.  This may be ok for the nearest future, but we need
more than that if we want to survive the comming years. 

We are looking into Finread as well as Area K deliverables. But what is
the real support of these standards? Do they really resolove (some of)
the issues?

If some of us is also facing this challenge (in a practical way),  maybe
we should discuss our problems and findings somehow. Maybe a meeting?

If you are dealing with this issue now, especially from a user
perspective, feel free to contact me personally or via this list.

Edward Hardam

Tor-Hjalmar.Johannessen@telenor.com heeft geschreven:

>The article http://www.lemonde.fr/imprimer_article_ref/0,5987,3244--321098,00.html
>should concern us all, as it (among other issues) adresses the growing awareness of compatibility problems for executing PKI-elements such as the support and combinations of:
>- SmartCard vs.
>- Smart Card Reader vs. 
>- OS (Windows / MAC / Unix / Linux /etc etc) vs.
>- Browser (Netscape / Explorer / Opera etc & variations between the versions)
>A page showing an incomplete but scaring matrix revealing some combination issues is presented by FinEid:
>Another issue concerning SmartCard solutions and SCCP EAL4+ requirements:
>Will a smartcard solution satisfy the CWA EAL4/EAL4+ requirements if the smartcard reader is of the normal cheap type (i.e without dedicated key pad / display etc.)where parts of the signature information (PIN-code, document display etc.) must be routed over OS'es (WIN2000 / NT etc,)which decline to support higher CC evaluation levels than EAL3 ? (Check any CC Evaluated Product List)
>Tor Hjalmar Johannessen
>Telenor R&D
>A BabelFish (incomplete of course) translation of the LeMonde article is enclosed below:
>Why the electronic signature remains dead letter the WORLD | 22.05.03 | 13h57? UPDATED the 22.05.03 | 13h58
>Three years after the law which conferred the same force as with the handwritten signature to him, the electronic paraph and the functions of coding which are associated for him are long in spreading. The complexity of the organization necessary to its installation rejects the industrialists. Deserted spans, cancelled conferences, dés?uvrés exhibitors... The environment of the Show Infosec 2003, specialized in the computer security, which has been just held from the 20 to May 22 at the CNIT in Paris, slices with the effervescence of the last years. Three years after the adoption of the law on the electronic signature, this one is long in entering the m?urs. Admittedly, the industrialists must have patience so that the decrees of application (2001) and the ministerial decrees (2002) specify the technical and legal conditions giving to the electronic signature the same convincing value as with the handwritten signature. Admittedly, "bubble Internet" burst in the interval, tarin!
> the financings. For as much, one is badly explained the lack of enthusiasm with respect to a technology - the infrastructure with public keys (ICP) - which was presented at one time like the average ideal to establish confidence on Internet. It would allow, announced one, to control the identity of the Net surfers, to guarantee the confidentiality and the integrity of the messages forwarding on the network and to keep the proof that the exchange of documents had taken place well. In short, to use the open network to make circulate significant information, to place from the orders, to sign documents, all expensive things in time and silver in the real world. In the middle of the years 1990, most optimistic counted on a market generated by the ICP of 3,5 billion dollars in 2005. However, in 2002, it would not have exceeded 350 million dollars. BRITISH SECRET SERVICE In theory, the ICP are a tool without rival. They rest on the principle of coding known as asymmetrical, invente!
> into 1973 within the British secret service, then rediscovered by
> Helmann, which in 1976 state the principle of it: to use a pair of keys, of which one is public and makes it possible all to sign or quantify a document, while the other is secret and makes it possible to its only owner to proceed to the opposite operation. In 1978, academics, Ronald Rivest, Adi Shamir and Leonard Adleman, proposed an algorithm allowing to carry out this prowess using prime numbers. Their system, baptized RSA, is with the c?ur solutions ICP suggested today, which rest on attribution with the users of indentity cards numerical, the certificates, standardized and recognized by the majority of the software of navigation or transport. It was enough to increase the length of the keys to put them at the shelter attacks of computers increasingly more powerful and able, from now on, to work in network on all planet. Technology is thus not in cause.C' is its setting in?uvre which poses problem. The regulation envisages a pyramid of actors. It includes/understands dis!
>ributors of certificates (in France, primarily Certplus and Certinomis) approved by authorities of certifications (generally of the banks) which, themselves, are the subject of procedures of qualification. One needs also validateurs able to hold up to date the directories of certificates and to withdraw from them those which arrived to expiry or which were revoked. The end-user must finally be duly identified, which supposes sometimes a meeting physique."Le more complicated, it is to organize confidence and to maintain it twenty-four hours out of twenty-four ", underlines Richard Pirim, architect system safety and network of the general direction of the taxes, which could judge complexity of the problem at the time of the installation of téléprocédures for the payment of the VAT by the large companies and the declaration in line of income tax, to which 608 000 people proceeded in 2003. It is - with the chart of health - only uses of scale IPC in France. Still the ministry for!
>finances it had to make compulsory the home-bankings of the VAT fo
>lion euros of sales turnover which is forced to buy electronic certificates, The electronic signature however remains confidential. Some start-up try to make it more convivial or attractive. It is the case, for example, of E-picture-Certification.com, which proposes, except ICP, a software making it possible to join an electronic signature with the image of a handwritten signature. The young company Cryptolog ambitionne, for its part, to make the economy of the deployment of key USB or card readers to chip, the usual supports of the certificates to replace them by virtual certificates stored on a distant waiter and protected by algorithms with null knowledge. Others, like Audiosmartcard, sell sound smart cards which avoid the recourse to expensive card readers, since they call upon the microphone of the ordinateurs.Reste to knowing if the market is ripe. The authorities have, on the matter, a major capacity of incentive. The project of indentity card to chip of the ministry f!
>r the interior could be used as free certificate. Minefi considers several projects of téléprocédures calling upon the electronic signature. But it cannot be allowed to propose an application which would force the users in the choice of the material - certain software does not envisage the storage of the certificates, Mac do not manage the encryption algorithms and certain versions of Windows do not accept the Java applications. To find a solution universal thus concerns the challenge. "a complexity to make quiver the developers", notes Richard Pirim. Minefi plans to call upon the large schools to develop an application of signature which could be versed in the public domain. What has supposed new times... Herve Morin an indentity card to chip is with the étudeLe ministry for the interior board, for several months, on a new generation of indentity card, equipped of a microchip. The working groups of the Beauvau Place did not rule yet officially on the type and the quantity of!
>personal information which could be stored there. Biometric inform
>, in particular, the fingerprints.  Such a possibility could cause the emergence of new card readers to chip able to authenticate their carrier formally. And justice the Ministers of Interior Department of G8, which met in Paris, Monday May 5, committed themselves besides resorting to biometrics like method of identification of their citizens. The United States already fixed, indeed, at October 2004 the date from which controls resorting to the biometrics of the identity and transport documents will be necessary for the entry on the American territory.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]