Yep, fair point Rainer, regards the how SmartCards can come into play and 'connecting islands'..
It's not that we are totally averse to any PKI. We are looking at PKI-ish solution as one of a number of options for federating government agencies. But this is not customer/end user facing.
Cheers
Colin
From: Rainer Hörbe [mailto:rainer@hoerbe.at]
Sent: Wednesday, 16 March 2011 8:37 p.m.
To: Bob Pinheiro
Cc: Colin Wallis; dg-bctf@kantarainitiative.org; FI WG; Kantara Leadership Council Kantara
Subject: Re: [KI-LC] PKI vs Non-PKI based trust models
Bob,
SmartCards can be positioned in vertical markets, where there is a fine tuned value proposition and quality level for users and service providers, usually bundled with some "physical" benefit of the card like a customer loyalty program or physical access control. My view is that the way to better market penetration is to build these islands and then connect them using both pki and non-pki federations. I would not expect any breakthrough soon.
- Rainer
Am 16.03.2011 um 00:55 schrieb Colin Wallis:
Bob
Some interesting thoughts ..(moreso if one had decided to use smartcard technology).
FWIW, the emerging view from our program down in this little country is that end user/citizen folks want to carry another card around like a hole in the head. It would be different if we already had a sizable penetration of smartcards but we don't. However, we see many more possibilities with the ubiquitous mobile device. Those possibilities are dashed right now because the things that make identity work are hardwired into the OS with really, let's face it, no security. And, a bit like the browser vendors, I guess there is no incentive/pressure on them to change, and understandably the unit price would go up.
But wouldn't it be great to have a *separated* secure standardised TPM for things that customers carry round with them whatever they were... Bill, our lead architect uses an example of a phone, with all its usual stuff on one side and the TPM module on the back. We heard that Iron Key are going the TPM-type way, so that seems to line up with Bob's reference below. And this is getting close to our notion. But still, you want the USB to also do its usual storage functions and more too, right?
Cheers
Colin
From: Bob Pinheiro [mailto:kantara@bobpinheiro.com]
Sent: Tuesday, 15 March 2011 5:43 p.m.
To: John Bradley
Cc: Colin Wallis; dg-bctf@kantarainitiative.orgmailto:dg-bctf@kantarainitiative.org; FI WG; Curry Patrick; Kantara Leadership Council Kantara
Subject: Re: [KI-LC] PKI vs Non-PKI based trust models
OK, but it's still possible to use certificates for strong authentication of consumers if the certificate is contained on a USB smartcard token. Of course, relying parties must accept certificates for consumer authentication. Maybe there is a chicken-and-egg problem here: RPs may have little interest until someone shows them a strong authentication solution using certificates and smartcards that is economically viable for adoption and use by consumers. But will smartcard vendors devote resources to this until they see a consumer market?
The Smart Card Alliancehttp://www.smartcardalliance.org/ is a member of Kantara, and is also interested in getting smartcard technology into the hands of consumers. The Smart Card Alliance is represented on the Consumer Identity WG because they were hoping to get some insight into consumer interest in, and adoption of, smartcards. Unfortunately, that kind of insight doesn't exist within the Kantara community. At least not within CIWG. Yet the Smart Card Alliance has an Identity Councilhttp://www.smartcardalliance.org/pages/activities-councils-identity, so there ought to be some opportunities for collaboration between Kantara and Smart Card Alliance. There are at least two areas where our interests probably overlap: use of smartcards for access to patient health records, and smartcards as form factors for identity credentials usable within the "ecosystem" enabled by the National Strategy for Trusted Identities in Cyberspace.
Another Kantara member is Fraunhofer FOKUS, which is the host of the next Kantara meeting, and is also a provider (?) of German eID cards. And although there seems to be no formal working relationships between Kantara and Microsoft, smartcards were used to provide secure U-Prove tokens for an RSA demo by splitting the token's private key between the user's computing device and the smartcard.
So there seems to be a number of areas of where certificates and smartcards can be used for strong authentication and/or high assurance claims. If these topics are of sufficient interest within Kantara, and resources can be found, perhaps there are opportunities for collaboration with Smart Card Alliance and others.
Bob P.
On 3/14/2011 6:25 PM, John Bradley wrote:
Colin,
I spent many years with the PKI Forum and other places pushing the better browser support rock up the hill to no great success.
There has been no detectable improvement in mutual TLS support. On the other hand EV certs got in because there was a clear revenue model to the PKI Forum participants.
Some of the problem relates to TLS itself and the rest with the browser venders.
If I had to get one thing from them it would be a way to do ephemeral keys for HoK as STORK and others have been asking for, also to no great success.
If someone wants to put together a gang to take on the browser venders I am in, but I am realistic about any real progress after 10 years or so of trying.
John B.
On 2011-03-14, at 5:56 PM, Colin Wallis wrote:
So the problem with client side Certs is the way they are implemented..with security in mind only, not privacy. 'Promiscuous' is the label given to them down here..
That's why the NZ Government does not use them in its consumer online service strategy...
And I might point out that it's too much of a generalisation for my comfort to say to that 'eGov prefers PKI' (Rainer's 5th bullet)
The lines between law enforcement/security (with no privacy) and consumer service/security (with privacy) seem to be getting blurred in some folks' minds (certainly not Bob's, nor John's..)
<