|
E2E = End-to-end
GW = Gateway
Germany's e-Government adopts the GW approach
I just returned from a conference in Hungary called
ISSE 2005 (Information Security Systems Europe) where I presented an
authentication solution on behalf on my employer. Fortunately, I was
also able to attend a presentation by a BSI (the NIST of Germany) delegate,
who presented their gateway approach for e-government transactions and
messaging. The person started with a slide containing the line:
"End-to-end security died even before it even was alive". This was not a
research report but a real system based on a set of new BSI standards, and
coming from the country that more than any other country has been associated
with legally binding signatures, qualified certificates and
similar.
Based on publicly available information, the
governments in the US and in Asia have (apparently) concluded
that they do not need a defined security architecture for interacting with the
society at large. This is a pity, since HSPD-12/PIV does neither
address (in the original text at least), cross-agency messaging nor G2B
messaging, it is rather designed to secure access to federal
resources. The original use-case should work just fine, while the extended
use-case often does not. "How do you send an encrypted message to the tax
department" (which the BSI representative mentioned as an example), is in its
extreme simplicity showing that this is not simply a matter of using smart cards
or not, it is rather a security architecture issue. The BSI question
also indicates that there are privacy issues that are not particularly
well addressed by the E2E model (while definitely by its challenger, the
gateway).
The way ahead?
The extreme positions taken by different "PKI
theologists" (unfortunately including myself), have so far created a huge
gap benefiting nobody. It is however, indeed possible combining
these two diverging paths creating a very potent, economical and
extensible security architecture.
Anders Rundgren
Located in the EU, working for a major US computer security
company, but here only representing
myself. |