- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Thu, 24 Apr 2014 11:23:50 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>, public-webpayments@w3.org
On 2014-04-24 03:27, Manu Sporny wrote: > On 04/23/2014 02:25 AM, Anders Rundgren wrote: >> The US government (NIST) do not count on the cloud for storing >> identity credentials. They prescribe that such must be stored in a >> local FIPS-140 certified cryptographic module: >> http://csrc.nist.gov/publications/drafts/800-157/sp800_157_draft.pdf > > They don't say any such thing in that document. You're also using a > different definition of "identity credentials" from what the > specification outlines. There's nothing that I can see that prevents the > Identity Credentials spec from working with the NIST requirements. > > Two-factor authentication, FIPS-140 crypto modules, secure elements, > USB-based crypto, all of those are things that can be used in addition > to what the Identity Credentials specification provides. > > You'll have to be a bit more clear about why you think Identity > Credentials (per the spec) stored in the cloud, coupled w/ a Derived PIV > Credential wouldn't meet the requirements set forth by NIST? Please > quote line numbers in the document you reference above. > >> When you put things in a cloud, the authentication to the cloud >> becomes the onus since nothing is stronger than its weakest links. > > Yes, that's correct. However, no one is proposing that we'd only use a 1 > factor access mechanism for sensitive government systems. You'd use > Identity Credentials plus a 2nd factor. It really doesn't matter what > that second factor is - it could be what you're proposing, it could be > FIDO, it could be a Yubikey, etc. > > The Identity Credentials stuff is almost completely decoupled from the > 2nd factor authentication problem (as it should be). I think that we simply have rather different visions about the Need, Authentication, Deployment and Usage of identity information in payment systems. Anders > >> WebID and WebPayments will probably have to adapt to the FIDO >> platform. > > We're already assuming that FIDO will be successful, and that's fine > because what they're doing is very different from what the Identity > Credentials spec does. > > -- manu >
Received on Thursday, 24 April 2014 09:24:25 UTC