So
the problem with client side Certs is the way they are implemented..with
security in mind only, not privacy. 'Promiscuous' is the label given to them down
here..
That's
why the NZ Government does not use them in its consumer online service strategy…
And
I might point out that it's too much of a generalisation for my comfort to say to
that 'eGov prefers PKI' (Rainer's 5th bullet)
The
lines between law enforcement/security (with no privacy) and consumer
service/security (with privacy) seem to be getting blurred in some folks' minds
(certainly not Bob's, nor John's..)
<<BP:
For example, could Kantara have a role to play in making it practical to
provision client-side certificates to consumers, so that websites can enable
the use of two-way SSL for consumers who have client-side certificates>>
Maybe, but I think it won't be listened to. The change has
got to take place at the doors (hearts and minds) of the browser vendors, and
the logical co-ordination point for that is the CA Browser forum. I'm trying
to think of the directional pressure that might persuade them to tackle this
problem - the Data Protection & Privacy Commissioners group? Maybe. Kantara?
Nope. At least not unless KI is pushing at an open door..
Cheers
Colin
From: lc-bounces@kantarainitiative.org
[mailto:lc-bounces@kantarainitiative.org] On Behalf Of Bob Pinheiro
Sent: Tuesday, 15 March 2011 6:16 a.m.
To: John Bradley
Cc: dg-bctf@kantarainitiative.org; FI WG; Curry Patrick; Kantara
Leadership Council Kantara
Subject: Re: [KI-LC] PKI vs Non-PKI based trust models
Regarding U-Prove and failed efforts at consumer PKI:
For high assurance consumer applications that (should) require strong
authentication, such as online banking, payments, access to patient health
records and other sensitive personal information, what are the possibilities
for doing strong authentication?
Since PKI doesn't seem to be a realistic possibility at the consumer level (at
least not now), it seems that the current choice is limited to one-time
passwords, at least for consistency with IAF and NIST 800-63 v1.0.2.
U-Prove tokens are a potentially viable method for transmitting high assurance
claims to a RP for these consumer apps. But even so, the consumer will
still need to strongly authenticate to either an identity provider (who issues
the tokens), or to a cloud-based active client / token agent / claims
agent. Or both (??). With the demise of Cardspace, the use of a
self-issued infocard for performing this authentication seems to be out.
Joni has asked for volunteers for a strategy subcommittee to help Kantara
become more effective, attract more members, etc. I'm wondering whether
one possible strategic goal for Kantara could be to help transform PKI into
something that is practical for use by consumers.
For example, could Kantara have a role to play in making it practical to
provision client-side certificates to consumers, so that websites can enable
the use of two-way SSL for consumers who have client-side certificates?
A second possible strategic direction is to help in getting U-Prove to be
implemented in a way that is usable by consumers. There is a related
effort in the form of a claims agent working group in Identity Commons, but
that is not specific to U-Prove.
Maybe these thoughts are best discussed in the strategy subcommittee instead,
but I just wanted to put this out there and get some sense as to whether anyone
thinks these might be reasonable goals to pursue. Or not? Would
such goals stray too far from Kantara's mission?
Thanks
Bob P.
On 3/14/2011 10:50 AM, John Bradley wrote:
I helped start Xcert software (now RSA KeyOn) 12 years ago
to work on federated identity issues using PKI client Auth. Why PKI
failed in the consumer/internet space is a big topic.
I should also mention that u-prove (zero knowledge prrof) cryptography contains elements of both certificates and assertions. I have limited expectations for any short term traction on that however.