OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pki-tc] Call for input: Asia PKIF Forum Panel Discussion


Thanks for your input.  

I have to say that I think you construct a caricature of security, then 
shoot it down, and then extrapolate to reach some fairly extreme 

I do not think that enterprise-to-enterprise versus end-to-end is an 
either-or dichotomoy.  And I don't think there is a dichotomoy between 
smartcard based transactions and cell phone based transactions [I recall 
you have argued previously for cell phones to supersede cards].  The world 
is a very big place and we will see all these options, and more.  And even 
banks will offer (of course) different security options in the form of 
multiple products. 

What we see in Asia is a huge rollout of smartcards for a very wide range 
of "products".  Just today I chatted with the head of a Taiwanese security 
integration firm.  He has several smartcards in his wallet: 
- a national Health Insurance Card 
  (note that doctors here have their own special purpose smartcard)
- a Visa smartcard 
- a bank debit smartcard 
- a government issued digital certificate card for personal G2C 
- a company issued ID card plus transit purse card (combo). 

My view is that once people have smartcards that have meaning or authority 
over particular domains (like government, employer, profession, bank) then 
we should leverage each card to secure any online transactions that the 
associated domain happens to offer.  I agree with the position of NIST and 
the US PIV card, that only PKI on a cryptographically smart device can 
protect against Man In The Middle attack (although unfortunately not all 
smartcards on issue right now are PKI cards). 

The smartcard is a wonderful form factor for ID-plus-online security. The 
only short term problem is the lack of readers.  Note that in Taiwan, 
smartcard readers are available in 7-11 stores for US$10.  In large 
volumes, there are OEM smartcard readers priced at less than $3.00.  

I agree with you Anders that a great many enterprise transactions are best 
secured at the gateway (especially from an encryption point of view).  
This is a good model indeed, but not the only one, and not a "competitor" 
to end-to-end security.  

I know from a New Zealand project several years ago that they implemented 
government-wide gateway PKI only because they couldn't get smartcards and 
client software as they existed back then to work.  They viewed gateway 
PKI as effective BUT a compromise, because they lost storng authentication 
of individuals.  That is not a bad compromise in many cases; and there are 
other ways to get individually auditable proof of origin.  But it is a 
compormise nevertheless. 

Remember that the traditional problems, overheads and complexity of 
individual PKI resulted from poor design and the limitations of soft 
certs.  Once we have embedded certs in smartcards, and better 
infrastructure support (roll on Longhorn!) the complexity will be deeply 
buried.  I think that the physics and mechanical engineering of magnetic 
oxide formulations is actually much more complicated than public key 
cryptography, so my vision is that smartcards will make PKI as easy to use 
as magnetic stripe cards.  This is what I think is the "blueprint for 
future PKI". 

The answer to your "blunt question" is, sorry, it's the wrong question!  
Nothing about smartcards and embedded PKI (especially when used to secure 
online access to services) changes the banks' back-end enterprise-to-
enterprise arrangements.  These security models will co-exist.  


Stephen Wilson.

> Stephen,
> We probably all have our own agendas so I cannot really ask for
> you to run my take on the PKI business, which is essentially saying
> that securing the enterprise and securing enterprise-2-enterprise
> information exchange are two separate issues that IMHO benefit from
> being separated.
> In Asia they have apparently bought into the end-to-end security model.
> But every financial institution have a different security solution for 
> bank-2-bank transactions (like SWIFT) than they have for their employees.
> =================================================
> My blunt question is simply: Do the Asian PKI people believe that banks
> have gotten this wrong and should change to full end-to-end security?
> =================================================
> In fact I think this question might as well be answered by the PKI-TC 
> as it in its simplicity actually holds the blueprint to the PKI of the 
> regards
> Anders
> ----- Original Message ----- 
> From: "Stephen Wilson" <swilson@lockstep.com.au>
> To: <pki-tc@lists.oasis-open.org>
> Sent: Tuesday, September 13, 2005 01:28
> Subject: fwd: [pki-tc] Call for input: Asia PKIF Forum Panel Discussion
> Hi everyone
> I'm in Taipei now, about to start the Asia PKI Forum meetings, and 
> last minute preparations! 
> These include getting ready for my panel discussion on Thursday 
> security, privacy, and cybercrime in the ubiquitous network, as 
> a couple of weeks ago. 
> Does anyone have any last minute thoughts please on these topics, per my 
> request below?  
> Absent any feedback from the TC, my remarks to the conference will 
> concentrate on the need for EMV and other smartcards to be pushed much 
> harder, with embedded PKI for mutual authentication, protecting against 
> MITM, phishing and spam, and providing the privacy enhancing options of 
> multiple personae, control over one's keys, and decoupling of names from 
> identifiers.  
> Thanks for any input.  Cheers, 
> Stephen Wilson.
> Forwarded Message:
> --
> From:    Stephen Wilson
> To:      pki-tc@lists.oasis-open.org
> Subject: [pki-tc] Call for input: Asia PKIF Forum Panel Discussion
> Date:    Aug 30, 2005
> --
> > 
> > Dear All
> > 
> > The next meeting of the Asia PKI Forum (Taipei, September 13-15) 
> features 
> > a panel discussion about PKI in the "ubiquitous network".  I will be 
> > speaking on the panel.  This e-mail is to invite input from the TC on 
> this 
> > topic. 
> > 
> > Attached is the panel background.  I will also upload the conference 
> > program to the TC pages, for further information. 
> > 
> > As you can see, there is a certain emphasis on privacy and 
> I 
> > happen to have been working extensively on these topics in the past 12 
> > months, and I have also developed various views about 
> > client side PKI.  So my initial thoughts about the panel discussion 
> > listed below.  
> > 
> > However, I would like to make sure that my presentation is reflective 
> > the PKI TC.  So please let me have your thoughts too. 
> > 
> > 
> > -- NIST and others have concluded that the only way to prevent Man In 
> The 
> > Middle attack (a major new vector for phishing and id crime) is PKI-
> > enabled smartcards.  This is a major indicator of the requisite 
> widespread 
> > use of PKI and smartcards to protect privacy and combat cyber crime. 
> > 
> > -- Further, PKI offers ways to mask identities via anonymous digital 
> > certificates in order to deidentify such transactions as electronic 
> health 
> > records, e-voting, online census collection etc. 
> > 
> > -- A major trend in PKI deployment worldwide is embedded digital 
> > certificates, whereby the technology is no more complex for users than 
> are 
> > magnetic stripes on regular plastic cards.  Examples include EMV 
> > smartcards, e-passports, national identity cards, national health 
> > entitlement cards, and set-top cable TV boxes.  
> > 
> > -- Smartcards (and related mobile devices like cell phones and PDAs) 
> > function as containers for multiple digital credentials.  This means 
> that 
> > PKI need not lead to a single digital identity, and therefore PKI can 
> > fundamentally privacy-enhancing.  
> > 
> > 
> > Comments are welcome!  If anyone is interested, further details on 
> of 
> > these thoughts are at 
> > 
> > and
> > 
> > 
> > 
> > Cheers, 
> > 
> > Stephen.
> > 
> > 
> > Stephen Wilson
> > Lockstep Consulting Pty Ltd
> > www.lockstep.com.au
> > ABN 59 593 754 482
> > 
> > 11 Minnesota Ave
> > Five Dock NSW 2046
> > Australia
> > 
> > P +61 (0)414 488 851
> > 
> > --------------------
> > 
> > About Lockstep 
> > Lockstep was established in early 2004 by noted authentication expert 
> > Stephen Wilson, to provide independent advice and analysis on cyber 
> > security policy, strategy, risk management, and identity management.  
> > Lockstep is also developing unique new smartcard solutions to address 
> > privacy and identity theft. 
> >  
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  You may a link to this group and all your TCs in 
> > at:
> > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
> > 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

<Put email footer here>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]