Re: The Cloud/FIDO: Was: Dealing with the NASCAR Syndrome for Web Payments from Manu Sporny on 2014-04-24 (public-webpayments@w3.org from April 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 23 Apr 2014 21:27:02 -0400
To: public-webpayments@w3.org
Message-ID: <53586866.6060205@digitalbazaar.com>

On 04/23/2014 02:25 AM, Anders Rundgren wrote:
> The US government (NIST) do not count on the cloud for storing 
> identity credentials. They prescribe that such must be stored in a 
> local FIPS-140 certified cryptographic module: 
> http://csrc.nist.gov/publications/drafts/800-157/sp800_157_draft.pdf

They don't say any such thing in that document. You're also using a
different definition of "identity credentials" from what the
specification outlines. There's nothing that I can see that prevents the
Identity Credentials spec from working with the NIST requirements.

Two-factor authentication, FIPS-140 crypto modules, secure elements,
USB-based crypto, all of those are things that can be used in addition
to what the Identity Credentials specification provides.

You'll have to be a bit more clear about why you think Identity
Credentials (per the spec) stored in the cloud, coupled w/ a Derived PIV
Credential wouldn't meet the requirements set forth by NIST? Please
quote line numbers in the document you reference above.

> When you put things in a cloud, the authentication to the cloud 
> becomes the onus since nothing is stronger than its weakest links.

Yes, that's correct. However, no one is proposing that we'd only use a 1
factor access mechanism for sensitive government systems. You'd use
Identity Credentials plus a 2nd factor. It really doesn't matter what
that second factor is - it could be what you're proposing, it could be
FIDO, it could be a Yubikey, etc.

The Identity Credentials stuff is almost completely decoupled from the
2nd factor authentication problem (as it should be).

> WebID and WebPayments will probably have to adapt to the FIDO 
> platform.

We're already assuming that FIDO will be successful, and that's fine
because what they're doing is very different from what the Identity
Credentials spec does.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Thursday, 24 April 2014 01:27:31 UTC