Re: FIPS201 - A revision in the wings

Subject: Re: FIPS201 - A revision in the wings

From: "Dan Turissini" <turissd@orc.com>

Date: Mon, 08 Aug 2005 09:23:45 -0400

Content-Type: multipart/mixed; boundary="----=_NextPartTM-000-e63b170a-81b7-4c11-b653-5b83b8699340"

In-Reply-To: <005901c59b5b$96bb6580$8217a8c0@arport2v>

References: <005901c59b5b$96bb6580$8217a8c0@arport2v>

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Title:

1) The TPM may not be a "personal" device and may be more appropriately used to provide dual authentication between a work station and a user, the PIV would then be an appropriate token for the user.

2) You seam to imply that card readers are not available with a USB interface, or will not be universally available. I remember the similar arguments wrt 3-1/2" floppies.

3) However, the option of deploying a "not so smart card" with a USB crypto-token should not be discounted as an alternative.

Anders Rundgren wrote:

Dear PKI-TWG:

An IMHO serious problem with PIV/FIPS201 is that it mixes a human-
readable "badge" with PKI credentials intended for remote access.

Although this "combo" have been touted for years as being the ideal design,
the market has developed in a not so favorable way for this vision.  In particular,
the 7816-type card reader interface is still an only an option, while USB is
available in just about every computer.

The reason for USB's popularity is of course that USB is a universal
interface while a 7816-type card reader has a single function.

That the form factor/connector is important is illustrated by the following
link that describes a $234 card reader, apparently approved by the GSA:
http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_detail-83.html

That this is a less than optimal solution will become even more apparent in
a couple of years when TPMs (Trusted Processing Modules), will be the
norm in mobile devices (as well as in stationary computers).  TPMs will not
only replace the reader but the card(s) as well.

Slightly further down the road, the mobile device will host a WUSB (Wireless
USB) making it possible to use the mobile unit as a "secure smart card reader +
card(s) + PIN-code terminal" with any computer, including public computers.

In addition to zero cost for PKI-supporting HW, a mobile device based TPM, will
also be able to support a magnitude more use cases than a discrete card is.

SUGGESTION
==========

A revised FIPS201 should preferable "liberate" the badge from the PKI
which also has the advantage that you can have the badge visible all the time.

Such a revision would though also require upgraded standards for on-line
generation/distribution of keys and end-user certificates.

Sincerely
Anders Rundgren

--
email_html

Daniel E. Turissini

President
Operational Research Consultants, Inc.
South Tower, Suite 210
11250 Waples Mill Road
Fairfax, Virginia 22030

703-246-8550

The information transmitted in this e-mail is for the exclusive use of the person or entity to which it is addressed and may contain legally privileged or confidential information. If you are not the intended recipient of this e-mail, you are prohibited from reading, printing, duplicating, disseminating or otherwise using or acting in reliance upon this information. If you have received this information in error, please notify the sender at Operational Research Consultants, Inc. immediately, delete this information from your computer and destroy all copies of the information.

Follow-Ups:

Re: FIPS201 - A revision in the wings
- From: "Anders Rundgren" <anders.rundgren@telia.com>

References:

FIPS201 - A revision in the wings
- From: "Anders Rundgren" <anders.rundgren@telia.com>