RE: German eID

Your into high PKI at this point, not self-signed certs. To use an American term, one is into assurance using "defense in depth" - about as unweb as it gets. At the same time, we have to redefine unweb, some how if the security working groups are to succeed. unweb cannot just mean "public, non commercial, patent free, uncompromising open access" as in the berner-lee led era. Security is about walls, at the end of the day.
Netscape (and then Mozilla I assume) became very involved in DoD system building - remember this means DoD OFFICE SYSTEMS (not tanks, and smart bombs).  Much of NSS was architected trying to make the "secure browser" exist as an assurable component independent from the assured OS on which it was working. Very java-esqe.
Microsoft and Novell did the same, for a large desktop contract.
In that era, DOD was the appointed agency for "leading the US public" - and duly "influenced" the vendor community under that mandate. They lost that leaderhip role a few years ago, with the best of DOD-approach-to-office- systems having delivered whatever it was going to deliver to the public systems at large.
At the time, it was all using the Common Access Card - a smartcard javacard (shush) with high-class IBM Germany design (i.e. properly engineered) key management and applet management, with 3 applets designed for "intelligent credential" management. it all a big(not) secret, with restricted design docs. Everyone one and their aunt was involved, including 99% of the IETF TLS world. To  participate, you had to get written in, and play James Bond. I didnt bother. I inferred what little was worth knowing, when re-purposing some of the good technology for electronics used in US real estate targeting relators (your family members). Realtors and James Bond could not be further apart...
Most of the smartcard angle in Windows for network logon was built up and out from this project, as were the S/MIME v3 features (and the CMS features for high-end key management, beyond keygen tag). (Mozilla community went with the CRMF route, rather than CMS.) A lot of the "next generation" VM-centric crypto architecture in WIndows (replacing Win32-centric cryptoAPI) derived from making this work sustainable, ready for the next 2 decades (being 2 decades old.. by this point).
To some degree, this evolved in the last 3 years for the various national id initiatives, including the German one. The biggest shift from 10 years ago was to address RFID elements in the card. DSPs ranging at 30m can now sense the RFIDs in (German) passport in a crowd of fast moving 100 pedestrians. Half the vendors in the US have programs to contribute to the US govt application of this, with the govt e-badge attempting to mix the physical and electronic properties so one "corporate badge" opens doors and computer accounts, alike. Obviously, its a personal locator too.
There was  complementary work in the UK to embed cheap RFIDs in (recoverable) train tickets, tube tickets and the like, to complement those in car tires. The idea was to track movement and association in general - as a generator of intelligence inferred from travel patterns. The hard engineering was orchestrating the sensor network, particularly in a crowded place (like a packed pub). But, the main goal was to infer from stats the associations (as folks "approach" the unsensorable pub). Its like the 1940s era cryptanalysts picking up the occasional blip from a cryptorotors, and then using heuristic predictions (like semweb logic) to compute baysian inferences. All good stuff, being repurposed 60 years later.
hardest problem here is dealing with the social politics ("who wants here to work for free to make the semantic web to be a giant spying and sensing network")?. The German nation seems to get it about right. Whereas in anglo-american culture and its projections, there is a tendency to rely on social deception (one cannot trust the citizen to be trustworthy, mantra), in the German model the solution tends to be  massive, impersonal but somehow effective - but there is a limit in which the individual can believe. And thats just the way German democracy works in general: the individual is the guardian not the government. It manifests in the "social contact" for hard cryptopolitical dilemmas.
At last years RSA show, the German tradeshow made a great effort to present its technology and ideas, trying to express in English the social contract between the vendors and the goverment agencies (something to be said for use the German words, so one can enjoy the subtelties and avoid the translation misses). The most embrassing part was the reaction of the American commentators, who made repeated, catty WWII references. But, then, RSA is an an American show, at the end of the day; catering to the wants and needs of its paying attendees. 

> Date: Tue, 8 Feb 2011 10:29:43 +0000
> From:
> To:
> CC:;
> Subject: Re: German eID
> Henry Story wrote:
> > <webr3> like the US too
> > It would be intresting to see if browsers can interact with these cards, if they contain an X509 certificate, and if these could contain a WebID.
> Firefox does to some degree, it's the most advanced crypto wise:
> There is scope to get this "in to" all the browsers, because it simply 
> needs spec'd properly, and it's one of the to-do (html wg or webapps) 
> specs which needs an editor / written..
> Best,
> Nathan

Received on Tuesday, 8 February 2011 12:57:05 UTC