Re: White paper of proposed architecture for NSTIC from Anders Rundgren on 2011-07-20 (public-identity@w3.org from July 2011)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Wed, 20 Jul 2011 22:23:14 +0200
To: Francisco Corella <fcorella@pomcor.com>
CC: "public-identity@w3.org" <public-identity@w3.org>, "Karen P. Lewison" <kplewison@pomcor.com>
Message-ID: <4E273932.8050903@telia.com>

On 2011-07-20 21:24, Francisco Corella wrote:
> Hi Anders,
> 
>> The problem with this and similar efforts is that you need a
>> *platform*.
>>
>> The only party that actually has a platform worth mentioning
>> is Apple with their iPhone.
>>
>> Popular, can host credentials, can be on-line provisioned,
>> great connectivity.
> 
> Why do you need a platform?  Why can't the browser manage
> your credentials (whether or not they are stored in a smart
> card).

In the context of NSTIC we are probably talking about high-value
credentials.  So far such have come in "hard cases".  Browsers
could theoretically manage/provision credentials in smart cards
but neither the browser vendors nor the card vendors have shown
any interest in that.  My personal view is that it is *infeasible*
using the cards we have today because they were never designed for
end-user provisioning.

Microsoft's "CertEnroll" doesn't even support PIN-codes to soft
tokens so we are pretty far away from gov/bank stuff.

>> Unfortunately I don't think the NSTIC people are prepared
>> shelling out any money except on projects using their "own"
>> platform, i.e. PIV.  This platform is severely constrained
>> and does neither support multiple credentials nor on-line
>> provisioning.
>>
>> PIV doesn't fit your bank-case.
>>
>> That people outside the Feds doesn't have card readers is
>> also an indication how "off" this thing would be as a
>> foundation for a vibrant identity ecosystem.
> 
> NSTIC is not about PIV.  

The existing US government vendors believe that.  Not PIV
the Federal gov card but PIV as host for NSTIC credentials.

> I believe many people involved with
> NSTIC think PKI certificates, such as those stored in PIV
> smart cards, are a thing of the past, to be replaced with
> "privacy-enhanced" credentials such as Idemix anonymous
> credentials or U-Prove tokens.  I myself think PKI
> certificates have an important role to play going forward,
> coexisting with privacy-enhanced credentials.

Here we are exactly on the same page.

> NSTIC is still pretty much a blank slate.  The first
> workshop on technology has not taken place yet.  I'm told it
> will take place in the Bay Area during the week of September
> 19.  I encourage you to attend and contribute your ideas.

They are not ready for such ideas since it involves risks.
On-line provision which we both suggest (albeit in fairly
different ways) is out of scope for these guys which is not
surprising given the current state-of-the-art.

>> Platform = HW + SW.

Anders

Received on Wednesday, 20 July 2011 20:23:45 UTC