On Sun, Sep 18, 2016 at 03:41:43PM +0000, Garfinkel, Simson L. (Fed) wrote:
> Ilari & Rene,
> Certificate-based smart cards are widely used within the US Government.
> The Department of Defense has millions of it's so-called CACs (Common
> Access Cards) in use, and they are used by most DoD employees on a
> daily basis to access information systems (logical access). Other
> federal agencies have been less successful, but still somewhat
> successful, with the deployment of the PIV (Personal Identity
> Verification) cards for logical access. It is very common for federal
> agencies to purchase laptops that have slots for smart cards.
Yes, if you have widely distributed smartcards, the reader
infrastructure and sites tied to real-world identity, then things
should work just great.
Let's just say that out of the main methods used around the part of
the world I live in, using official ID card, which also is a smartcard
is the least BS way (if you happen to have a smartcard reader set up).
Unfortunately, none of those three assumptions above is true in the
wider web environment. There you don't want things like linkability
to real-world identity or even linkability between origins. Nor can
one assume presence of extra hardware.
Also, there is currently no feasible way to go "all in" with any
form of "what you have" authentication (except for some select sites
with larger budgets for security). And if you don't go "all in",
then you probably do cause problems for those using tokens of some
kind via still having legacy baggage from passwords.
dane mailing list