Re: FIPS201 - A revision in the wings

["Anders Rundgren" <anders.rundgren@telia.com>]

Hi Dan,
It is nice with some feedback for a change :-)

Dan Turissini wrote:

<snip>

>3) However, the option of deploying a "not so smart card" with a USB
>crypto-token

I don't fully understand what you mean with "not so smart card".  Is it because
it does not have a personlized outside and an RFID interface?  A part from that,
an USB token should be functionally equivalent to a "smart card".

>should not be discounted as an alternative.

Does "discounted" mean that you are in favor
of revising FIPS201 to also support picture-less tokens in USB format
or not?  In case you do, I would take this revision one step further and
remove form-factor completely.  As long as the "container" supports
a specified security-level it should be sufficient for PIV.  Although TPMs
may seem non-practical, in mobile devices they make sense. Particularly
compared to clumsy and expensive external readers and tokens.

regards
Anders

Anders Rundgren wrote:

Dear PKI-TWG:

An IMHO serious problem with PIV/FIPS201 is that it mixes a human-
readable "badge" with PKI credentials intended for remote access.

Although this "combo" have been touted for years as being the ideal design,
the market has developed in a not so favorable way for this vision.  In particular,
the 7816-type card reader interface is still an only an option, while USB is
available in just about every computer.

The reason for USB's popularity is of course that USB is a universal
interface while a 7816-type card reader has a single function.

That the form factor/connector is important is illustrated by the following
link that describes a $234 card reader, apparently approved by the GSA:
http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_detail-83.html

That this is a less than optimal solution will become even more apparent in
a couple of years when TPMs (Trusted Processing Modules), will be the
norm in mobile devices (as well as in stationary computers).  TPMs will not
only replace the reader but the card(s) as well.

Slightly further down the road, the mobile device will host a WUSB (Wireless
USB) making it possible to use the mobile unit as a "secure smart card reader +
card(s) + PIN-code terminal" with any computer, including public computers.

In addition to zero cost for PKI-supporting HW, a mobile device based TPM, will
also be able to support a magnitude more use cases than a discrete card is.

SUGGESTION
==========

A revised FIPS201 should preferable "liberate" the badge from the PKI
which also has the advantage that you can have the badge visible all the time.

Such a revision would though also require upgraded standards for on-line
generation/distribution of keys and end-user certificates.

Sincerely
Anders Rundgren





--

Daniel E. Turissini

President
Operational Research Consultants, Inc.
South Tower, Suite 210
11250 Waples Mill Road
Fairfax, Virginia 22030

703-246-8550

The information transmitted in this e-mail is for the exclusive use of the person or entity to which it is addressed and may contain
legally privileged or confidential information. If you are not the intended recipient of this e-mail, you are prohibited from
reading, printing, duplicating, disseminating or otherwise using or acting in reliance upon this information. If you have received
this information in error, please notify the sender at Operational Research Consultants, Inc. immediately, delete this information
from your computer and destroy all copies of the information.