W3C home > Mailing lists > Public > public-identity@w3.org > July 2011

Secure Credential Cloning

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Thu, 21 Jul 2011 08:07:55 +0200
Message-ID: <4E27C23B.5040705@telia.com>
To: "public-identity@w3.org" <public-identity@w3.org>
There are quite a bunch of efforts based on having credentials in the cloud
as well as "syncing" them to various devices.  This fits a certain category
of credentials.  However, banks, governments, and enterprises are unlikely
to buy into this concept for various rational and historical reasons.

FWIW, the SKS/KeyGen2 scheme addresses credential mobility/accessibility
in two different ways:

- Through physical means (if using USB token form factor)
- Through credential "cloning"

Cloning is not to be confused with copying; it is a process when you get
another *instance* of the same credential.  Assume that you have a
government- or bank-credential (presumably in an awkward container
of their choice such as a regular smart card...), and that you would rather
use your iPhone as credential carrier.

If the issuer accepts your choice of credential carrier (listed on the
issuer's site), you may login to the issuer using the original credential
and get a new one for the target device.  How can you do this in a
secure manner you may wonder?

1.  The device has a device certificate which identifies the brand and
     ID to the issuer during KeyGen2 issuance process

2. During enroll you specify the SHA1 of the target device so that the
     issuer is assured that it is talking to the right container

Note: no enrollment passwords are needed!

A further advantage with cloning is that in case you lose a credential
it can be revoked while other instances of it are still usable making
it is a sort of a credential backup solution as well.

Anders
Received on Thursday, 21 July 2011 06:08:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 21 July 2011 06:08:38 GMT