Ladies & Gentlemen, PTD = Personal Trusted Device (usually in the form of a mobile phone)
The smart card manufacturers have had ample of time to establish a (de-facto) standard PKI card. But they have not. Instead they have engaged in never ending standards wars making OS support cumbersome and expensive. On the Windows platform there to my knowledge still do not exist free PKI-card SW which indicates something regarding the state of standards. In another camp people have been toiling with PTDs for years without much success. One of the stumbling blocks has been where to keep private keys etc. The SIM-card (which only applies to GSM) has been thought as an appropriate place but it suffers from a serious limitation: It is "owned" by an operator. But a user is likely to need certificates from multiple independent "operators" (issuers). In addition there is a need to improve the security in the entire mobile computing platform. Apparently a "remedy" will relatively soon come to the world consisting of billions of (for the users) precious mobile phones: http://www.arm.com/news/TrustZone270503 PTDs compared to smart cards, are likely to reduce the complexity of integration with Windows, Linux and Mac OSes as the "reader" is replaced by Bluetooth/WI-FI and the cryptographic operations are high-level dittos. Do PTDs have usage advantages over smart cards? Absolutely. The main "ingredient" making PTDs secure and potentially extremely versatile, is the fact that user keys are controlled by a trusted device containing an Internet browser, a powerful CPU, lots of memory, a keyboard, and supporting a wide range of connectivity options. This should be compared to inserting a smart card into an unknown slot running unknown software on a computer that the user may not be in control of. A PTD platform among many things, opens the door to convenient uses of "indirection" like featured in VISA's 3D Secure and in the Liberty Alliance authentication frame- work. That the very same device can be used in three completely different situations also helps: - Remote (connected over GSM/GPRS/3G/WLAN) - Slave (connected to a user's desktop computer) - Local (ad-hoc connected to POS terminals etc) I believe the moment has come to start establishing PTD platforms using SW-based security that will be comparatively easy to migrate to use HW-based security in 3-4 years from now. Anders Rundgren _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
