FIPS201 - A revision in the wings

["Anders Rundgren" <anders.rundgren@telia.com>]

Dear PKI-TWG:

An IMHO serious problem with PIV/FIPS201 is that it mixes a human-
readable "badge" with PKI credentials intended for remote access.

Although this "combo" have been touted for years as being the ideal design,
the market has developed in a not so favorable way for this vision.  In particular,
the 7816-type card reader interface is still an only an option, while USB is
available in just about every computer.

The reason for USB's popularity is of course that USB is a universal
interface while a 7816-type card reader has a single function.

That the form factor/connector is important is illustrated by the following
link that describes a $234 card reader, apparently approved by the GSA:
http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_detail-83.html

That this is a less than optimal solution will become even more apparent in
a couple of years when TPMs (Trusted Processing Modules), will be the
norm in mobile devices (as well as in stationary computers).  TPMs will not
only replace the reader but the card(s) as well.

Slightly further down the road, the mobile device will host a WUSB (Wireless
USB) making it possible to use the mobile unit as a "secure smart card reader +
card(s) + PIN-code terminal" with any computer, including public computers.

In addition to zero cost for PKI-supporting HW, a mobile device based TPM, will
also be able to support a magnitude more use cases than a discrete card is.

SUGGESTION
==========

A revised FIPS201 should preferable "liberate" the badge from the PKI
which also has the advantage that you can have the badge visible all the time.

Such a revision would though also require upgraded standards for on-line
generation/distribution of keys and end-user certificates.

Sincerely
Anders Rundgren