Re: [pki-tc] DHS RFI

["Anders Rundgren" <anders.rundgren@telia.com>]

Paul,
I could easily write10 pages of "information" on this topic which I have
been involved in since 1996, albeit from a Scandinavian perspective.

The designers of PIV never did any particularly sophisticated use-case
analysis.  I, FWIW, have constantly "slaughtered" the idea that a physical
ID-card intended for verification by a human, is suitable for combining
with electronic, often entirely artificial credentials to be used for logical
access control and digital signatures.  The reason is simple.  Most of
us have probably seen the picture with two dogs sitting in front of
a computer.  One dog says to the other dog:
"On the Internet nobody knows that you are a dog"

I.e. we are dealing with two entirely different use-cases.

Due to that there are no form-factor requirement for electronic
credentials except that it is nice if they fit a standard computer.
Today that spells USB.  Tomorrow it is probably NFC/Wireless USB
and NFC/WLAN.  Not due to the needs of the security industry, but
for transfering multi-media to PCs and performing VoIP to local
broadbands.  I.e. this stuff will ride on mainstream developments that
are in high demand.  Card readers are one-function interfaces
with a currently rather uncertain demand.

Regarding the mobile phone thing there are so many advantages of
using such as credential carriers compared to cards that I don't
think that smart cards will work even for the financial industry.
That is, I expect EMV to be eclipsed by phones.

Rationale:

- Unfortunately we need multiple credentials and issued by
  different parties.  PIV and its cousins do not address this
  situation.

- You may need multiple authentication technlogies for logical access
   ("may" must be a huge understatement given the current situation)

- The mobile Internet has been a joke since 1998.  But a decade later
  it may be the core of many peoples use' of personal IT.  This may be
  valid for public sector employees s well, including doctors,
  social workers, and the police.

- The ability to actually use any 2010 WinTel machine without
  buying or installing a single thing will make it possible to
  actually perform really sophisticated stuff wherever you are.
  PIVs will hardly work outside the federal/state sphere.

- There are numerous extremely powerful uses that no
  other technology can support by having a combination of
  a smart card++, display, browser, keyboard, and
  wireless.  VISA's 3D Secure is an example of a scheme
  that a card cannot support in a local shop but a phone can
  do with ease.

- NFC/Wireless USB is a perfect replacement of mag strips for
   physical access control including biometric data.

You are right that there are cultural issues that may thwart some
of this.  I though belive that "enablement" is the true door opener.

Then, of course I would not forget the envy US pople will
get when they see a BILLION+ of Asians using this really
cool stuff.  200M EU citizens may also have some influence
on the future.

There are other serious issues with the electronic part of PIVs,
such as affiliation.  That severely limit PIVs applicability
as well as increasing cost.  This is yet another thing that stems
from the unfortunate combination of "company badges" and PKI.

a possibly biased but reasonably honest
Anders Rundgren
Developer of mobile security technology
and member of TrustedComputingGroup

----- Original Message -----
From: "Evans Paul" <evans_paul@bah.com>
To: "Anders Rundgren" <anders.rundgren@telia.com>; "Arshad Noor" <arshad.noor@strongauth.com>; "PKI TC"
<pki-tc@lists.oasis-open.org>
Sent: Saturday, June 18, 2005 00:13
Subject: RE: [pki-tc] DHS RFI


Anders,

I suspect that DHS is getting roundly pummeled by the comments coming in
- we had more that a dozen pages in our own response.

As for your observations, keep in mind that PIV is much more than PKI.
It's an identity credential for authentication to both physical and
logical resources.  The smart card vendors are in high gear to produce
the cards.  Moreover, Phase I is more about policies and processes - the
PIV I cards only need to display FIPS 201 topology to conform and don't
have to include anything electronic.

You also need to understand the cultural differences here. Even if you
could use a cell phone for logical access (notwithstanding issuance
issues), you won't be able to have phones with non-forgeable visual
attributes that will be acceptable for guards checking credentials for
entry into a building. I'm having visions of everybody walking around
federal buildings with cell phones dangling from their necks.

Further, employee unions and contractors will be highly resistive to
being required to have a cell phone that conforms to some standard that
mandates government controlled capabilities on said device unless the
government actually buys them, issues them and pays for any time usage.
It would also require the government to buy all new computers that have
the default hw/sw you believe will be manufactured in (oh, and require
users and contractors working remotely to upgrade as well).  So tell me,
which is less expensive? Cell phones and computers for all or a smart
card and reader?

Have a good weekend.

Paul Evans
- Working for Booz Allen Hamilton but expressing personal opinion in
this message -

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren@telia.com]
Sent: Friday, June 17, 2005 5:23 PM
To: Arshad Noor; PKI TC
Subject: Re: [pki-tc] DHS RFI

Arshad,

I got the impression that they left out PIV/HSPD-12 in the *pilot*.

That was IMHO a resonable step as there are not enough PIVs out there to
motivate support of these.

Due to the unavailability of readers they will soon also have to adapt
the scheme to One Time Passwords (OTPs) as well, in spite of not even
being mentioned in the plan.  As they say in the Army:
When the reality and the map does not not match - Stick to the reality!

In Sweden, the last PKI-using bank has finally realized that the
unavailability of WebSign standards and readers is a killer (for
everybody) and have subsequently introduced "scratch cards".

A low-tech, fully mobile, but reasonably secure solution that seems to
catch on.

Believe me, PIV, GSI and CAC cards will be obsolete the very moment
Uncle Sam have poured the $BNs needed, as any medium-range mobile phone
will be able to "dock" to a PC using an NFC/WLAN combo while the mobile
CPU itself will have full TPM capability.  And all this by using default
HW + SW.

It is interesting to note that neither banks or governments have any
representation in TrustedComptingGroup:
https://www.trustedcomputinggroup.org/about/members

Yes, we are obviously talking 2010 here, but this is the actual speed of
client-side PKI in the US, like it or not.

For the org-to-org messaging it is still an open question where it is
going.

AndersR

----- Original Message -----
From: "Arshad Noor" <arshad.noor@strongauth.com>
To: "PKI TC" <pki-tc@lists.oasis-open.org>
Sent: Thursday, June 16, 2005 20:35
Subject: [pki-tc] DHS RFI


Here is the RFI that specifically excluded PKI from its
Identity Management project - shortsighted in my opinion.
Feel free to let your DHS contacts know of the folly of
ignoring PKI from its IdMS project.  I've already done
so.

Arshad Noor
StrongAuth, Inc.



------------------------------------------------------------------------
--------


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php