[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pki-tc] Call for input: Asia PKIF Forum Panel Discussion
Anders Thanks for your input. I have to say that I think you construct a caricature of security, then shoot it down, and then extrapolate to reach some fairly extreme conclusions! I do not think that enterprise-to-enterprise versus end-to-end is an either-or dichotomoy. And I don't think there is a dichotomoy between smartcard based transactions and cell phone based transactions [I recall you have argued previously for cell phones to supersede cards]. The world is a very big place and we will see all these options, and more. And even banks will offer (of course) different security options in the form of multiple products. What we see in Asia is a huge rollout of smartcards for a very wide range of "products". Just today I chatted with the head of a Taiwanese security integration firm. He has several smartcards in his wallet: - a national Health Insurance Card (note that doctors here have their own special purpose smartcard) - a Visa smartcard - a bank debit smartcard - a government issued digital certificate card for personal G2C - a company issued ID card plus transit purse card (combo). My view is that once people have smartcards that have meaning or authority over particular domains (like government, employer, profession, bank) then we should leverage each card to secure any online transactions that the associated domain happens to offer. I agree with the position of NIST and the US PIV card, that only PKI on a cryptographically smart device can protect against Man In The Middle attack (although unfortunately not all smartcards on issue right now are PKI cards). The smartcard is a wonderful form factor for ID-plus-online security. The only short term problem is the lack of readers. Note that in Taiwan, smartcard readers are available in 7-11 stores for US$10. In large volumes, there are OEM smartcard readers priced at less than $3.00. I agree with you Anders that a great many enterprise transactions are best secured at the gateway (especially from an encryption point of view). This is a good model indeed, but not the only one, and not a "competitor" to end-to-end security. I know from a New Zealand project several years ago that they implemented government-wide gateway PKI only because they couldn't get smartcards and client software as they existed back then to work. They viewed gateway PKI as effective BUT a compromise, because they lost storng authentication of individuals. That is not a bad compromise in many cases; and there are other ways to get individually auditable proof of origin. But it is a compormise nevertheless. Remember that the traditional problems, overheads and complexity of individual PKI resulted from poor design and the limitations of soft certs. Once we have embedded certs in smartcards, and better infrastructure support (roll on Longhorn!) the complexity will be deeply buried. I think that the physics and mechanical engineering of magnetic oxide formulations is actually much more complicated than public key cryptography, so my vision is that smartcards will make PKI as easy to use as magnetic stripe cards. This is what I think is the "blueprint for future PKI". The answer to your "blunt question" is, sorry, it's the wrong question! Nothing about smartcards and embedded PKI (especially when used to secure online access to services) changes the banks' back-end enterprise-to- enterprise arrangements. These security models will co-exist. Cheers, Stephen Wilson. > Stephen, > > We probably all have our own agendas so I cannot really ask for > you to run my take on the PKI business, which is essentially saying > that securing the enterprise and securing enterprise-2-enterprise > information exchange are two separate issues that IMHO benefit from > being separated. > > In Asia they have apparently bought into the end-to-end security model. > > But every financial institution have a different security solution for backend > bank-2-bank transactions (like SWIFT) than they have for their employees. > > ================================================= > My blunt question is simply: Do the Asian PKI people believe that banks > have gotten this wrong and should change to full end-to-end security? > ================================================= > > In fact I think this question might as well be answered by the PKI-TC members > as it in its simplicity actually holds the blueprint to the PKI of the future. > > regards > Anders > > ----- Original Message ----- > From: "Stephen Wilson" <swilson@lockstep.com.au> > To: <pki-tc@lists.oasis-open.org> > Sent: Tuesday, September 13, 2005 01:28 > Subject: fwd: [pki-tc] Call for input: Asia PKIF Forum Panel Discussion > > > > Hi everyone > > I'm in Taipei now, about to start the Asia PKI Forum meetings, and making > last minute preparations! > > These include getting ready for my panel discussion on Thursday regarding > security, privacy, and cybercrime in the ubiquitous network, as discussed > a couple of weeks ago. > > Does anyone have any last minute thoughts please on these topics, per my > request below? > > Absent any feedback from the TC, my remarks to the conference will > concentrate on the need for EMV and other smartcards to be pushed much > harder, with embedded PKI for mutual authentication, protecting against > MITM, phishing and spam, and providing the privacy enhancing options of > multiple personae, control over one's keys, and decoupling of names from > identifiers. > > Thanks for any input. Cheers, > > Stephen Wilson. > > > > > > Forwarded Message: > -- > From: Stephen Wilson > To: pki-tc@lists.oasis-open.org > Subject: [pki-tc] Call for input: Asia PKIF Forum Panel Discussion > Date: Aug 30, 2005 > -- > > > > > Dear All > > > > The next meeting of the Asia PKI Forum (Taipei, September 13-15) > features > > a panel discussion about PKI in the "ubiquitous network". I will be > > speaking on the panel. This e-mail is to invite input from the TC on > this > > topic. > > > > Attached is the panel background. I will also upload the conference > > program to the TC pages, for further information. > > > > As you can see, there is a certain emphasis on privacy and cybercrime. > I > > happen to have been working extensively on these topics in the past 12 > > months, and I have also developed various views about embedded/automated > > client side PKI. So my initial thoughts about the panel discussion are > > listed below. > > > > However, I would like to make sure that my presentation is reflective of > > the PKI TC. So please let me have your thoughts too. > > > > > > -- NIST and others have concluded that the only way to prevent Man In > The > > Middle attack (a major new vector for phishing and id crime) is PKI- > > enabled smartcards. This is a major indicator of the requisite > widespread > > use of PKI and smartcards to protect privacy and combat cyber crime. > > > > -- Further, PKI offers ways to mask identities via anonymous digital > > certificates in order to deidentify such transactions as electronic > health > > records, e-voting, online census collection etc. > > > > -- A major trend in PKI deployment worldwide is embedded digital > > certificates, whereby the technology is no more complex for users than > are > > magnetic stripes on regular plastic cards. Examples include EMV > > smartcards, e-passports, national identity cards, national health > > entitlement cards, and set-top cable TV boxes. > > > > -- Smartcards (and related mobile devices like cell phones and PDAs) can > > function as containers for multiple digital credentials. This means > that > > PKI need not lead to a single digital identity, and therefore PKI can be > > fundamentally privacy-enhancing. > > > > > > Comments are welcome! If anyone is interested, further details on some > of > > these thoughts are at > > http://www.lockstep.com.au/library/ehealth/a_novel_application_of_pki_sm > > and > > http://www.lockstep.com.au/library/privacy/submission_to_the_2005_senate > > > > > > Cheers, > > > > Stephen. > > > > > > Stephen Wilson > > Lockstep Consulting Pty Ltd > > www.lockstep.com.au > > ABN 59 593 754 482 > > > > 11 Minnesota Ave > > Five Dock NSW 2046 > > Australia > > > > P +61 (0)414 488 851 > > > > -------------------- > > > > About Lockstep > > Lockstep was established in early 2004 by noted authentication expert > > Stephen Wilson, to provide independent advice and analysis on cyber > > security policy, strategy, risk management, and identity management. > > Lockstep is also developing unique new smartcard solutions to address > > privacy and identity theft. > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe from this mail list, you must leave the OASIS TC that > > generates this mail. You may a link to this group and all your TCs in > OASIS > > at: > > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > -- <Put email footer here>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]