----- Original Message ----- From: "Karsten Ohme" <[EMAIL PROTECTED]>
To: "MUSCLE" <[email protected]>
Sent: Thursday, March 10, 2005 5:12 AM
Subject: Re: [Muscle] muscle getChallenge, versus GP 2 way authentication
>>> Are there any other roles vs key usage models I'm missing, for theapplet security policy?
For example, should any offcard application be required to use a DES3-MAC key, to externally authenticate, in order to perform ANY operation - such as populate user certs?
I think this wouldn't be comfortable. Because the smartcard should simplify the signing, log in, ... If I have to know a PIN this is enough. Maybe it is desirable always to have a secure channel (This would be the only reason I see to use a secure channel), but in this case every user has to know a PIN and a 3DES key. Nobody can remember a 3DES key, which is at least 16 bytes. So the idea to go to every computer and use the card would be not possible because I would have to have another media with me which contains this key. Or a always available server with this key must be. And I have to take care which computer I can trust to enter on it this key.
I think we have to distinguish between the user role, and offcard entity role. These are non GP roles, and are not discussed in the GP security policy model disclosures.
Lets assume users apply pin logon to establish user rights. (Lets assume these rights are piss poor in the telecom world, if we believe Scott, presumably so limited by design in order to enable covert surveillance via compromised key management, or facilitate the loading/installation of deception applets.)
Lets also assume the ASM role authorizes which host software is authorized to communicate remote operations to the applet. Assume this is accomplished by limiting which host drivers have the relevant XAUT key, enabling one to logon with strong authentication to the applet, using the applet's own authentication, access control decision and enforcement mechanisms (i.e. not GP). Assume the driver is distributed in hardware module, and OCF provider knows who to access the hardware (perhaps another smarcard, in quad flip pack package). In the .NET world, perhaps this is a custom remoting channel, smilarly, where the role played of this XAUT is offloaded to TPMs.
Does this sound more reasonable, now?
Its not the user who is burdened with the XAUT key. Said key is in one of the many SAMs, in the multi-service-provider public phone terminal, the ATM machines, or the phone's motherboard, etc.
Bye, Karsten _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
