W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Re: White paper of proposed architecture for NSTIC

From: Francisco Corella <fcorella@pomcor.com>
Date: Wed, 20 Jul 2011 23:00:58 -0700 (PDT)
Message-ID: <1311228058.89524.YahooMailNeo@web125503.mail.ne1.yahoo.com>
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: "public-identity@w3.org" <public-identity@w3.org>, "Karen P. Lewison" <kplewison@pomcor.com>


Really, NSTIC is not about PIV, nor about government IT, and it certainly is not a low risk initiative.  If you don't believe me, see for yourself at http://www.nist.gov/nstic/ .


>From: Anders Rundgren <anders.rundgren@telia.com>
>To: Francisco Corella <fcorella@pomcor.com>
>Cc: "public-identity@w3.org" <public-identity@w3.org>; Karen P. Lewison <kplewison@pomcor.com>
>Sent: Wednesday, July 20, 2011 1:23 PM
>Subject: Re: White paper of proposed architecture for NSTIC
>On 2011-07-20 21:24, Francisco Corella wrote:
>> Hi Anders,
>>> The problem with this and similar efforts is that you need a
>>> *platform*.
>>> The only party that actually has a platform worth mentioning
>>> is Apple with their iPhone.
>>> Popular, can host credentials, can be on-line provisioned,
>>> great connectivity.
>> Why do you need a platform?  Why can't the browser manage
>> your credentials (whether or not they are stored in a smart
>> card).
>In the context of NSTIC we are probably talking about high-value
>credentials.  So far such have come in "hard cases".  Browsers
>could theoretically manage/provision credentials in smart cards
>but neither the browser vendors nor the card vendors have shown
>any interest in that.  My personal view is that it is *infeasible*
>using the cards we have today because they were never designed for
>end-user provisioning.
>Microsoft's "CertEnroll" doesn't even support PIN-codes to soft
>tokens so we are pretty far away from gov/bank stuff.
>>> Unfortunately I don't think the NSTIC people are prepared
>>> shelling out any money except on projects using their "own"
>>> platform, i.e. PIV.  This platform is severely constrained
>>> and does neither support multiple credentials nor on-line
>>> provisioning.
>>> PIV doesn't fit your bank-case.
>>> That people outside the Feds doesn't have card readers is
>>> also an indication how "off" this thing would be as a
>>> foundation for a vibrant identity ecosystem.
>> NSTIC is not about PIV.  
>The existing US government vendors believe that.  Not PIV
>the Federal gov card but PIV as host for NSTIC credentials.
>> I believe many people involved with
>> NSTIC think PKI certificates, such as those stored in PIV
>> smart cards, are a thing of the past, to be replaced with
>> "privacy-enhanced" credentials such as Idemix anonymous
>> credentials or U-Prove tokens.  I myself think PKI
>> certificates have an important role to play going forward,
>> coexisting with privacy-enhanced credentials.
>Here we are exactly on the same page.
>> NSTIC is still pretty much a blank slate.  The first
>> workshop on technology has not taken place yet.  I'm told it
>> will take place in the Bay Area during the week of September
>> 19.  I encourage you to attend and contribute your ideas.
>They are not ready for such ideas since it involves risks.
>On-line provision which we both suggest (albeit in fairly
>different ways) is out of scope for these guys which is not
>surprising given the current state-of-the-art.
>>> Platform = HW + SW.
Received on Thursday, 21 July 2011 06:01:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:00:47 UTC