Picture + PKI ========== >> The idea of mixing a badge for visual inspection with PKI for remote access >> was a great idea. Ten years ago. Today it only creates problems and should >> be
>I would tend to agree, using traditional engineering principles. >But its an enticing social prospect: take the existing US drivers license, >and just replace it with almost the same thing with a chip on it. Bully the >issuers (the network of licensing offices) to get ready for card management >processes, en masse. But the problem is that we have a magnitude more "keys" than we have drivers licenses and passports. PIV is just a single key. Lets say you have different roles, how is this to be catered by PIV? And why could not a key be issued by the local security dpt.? And why should a key be more than just a unique identifier? The list is huge with "disconnects" between a public ID-card and keys for computer access within an organization. >One can go from 0 to 100kmh so quickly! - with such a limited scope >infrastructure upgrade. One can thereby break through all the logjams. >Breaking through the logjams - as prep. for something better - may be well >worth doing, of itself. >If we can just first get a craft in orbit, then we can worry about the moon >shot. Maybe the relative ease needed to upgrade a "paper" CA to a PKI CA has made the decision-makers ignore the other end of the rainbow? Unless the pretty clumsy card reader becomes a standard (built-in) HW as USB, PIV is toast for PC usage. "physical access control" is a rather different application. So it is not the moon that is the problem but to get off the ramp at all. The US security infrastructure ==================== >If we think more widely, we HAVE to break the problem down: or we will just >sit here for another 10 years with no infrastructure breakthroughs. The following, is the to date only published example on how the US public sector actually use PKI for sophisticated applications (not e-mail): http://middleware.internet2.edu/pki05/proceedings/kailar-phinms.ppt What is particularly interesting, is that pages 11-13 show that CDC use a "gateway" PKI approach rather than the end-to-end security approach implied by the current Federal PKI architecture. That is, the concept of a federal security infrastructure _does_not_exist_and_is not_even_a_work-item. It is a bit ironic that the [invited] paper above was originally shown in NISTs facilities! >So, lets be hopeful! Perhaps politics can work, and find interim solutions >to impossible social problems. I believe that the general lack of openess within the "security expert community" (no pun included) and NIST will prove to be the biggest obstacle. But maybe the "badge" is really the only thing Bush was shooting for? Streamlining IS operations is indeed not mentioned in HSPD-12. Anders _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
