'(Other) dubious uses of PKI technology [was: Rationales for CA clearance constraints]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-pkix
Subject:    (Other) dubious uses of PKI technology [was: Rationales for CA clearance constraints]
From:       "Anders Rundgren" <anders.rundgren () telia ! com>
Date:       2008-10-30 9:34:10
Message-ID: 12776F76578C4462A0E60227A00CC6F6 () AndersPC
[Download RAW message or body]


Hi Moudrick,

> http://ec.europa.eu/idabc/en/document/6484/5644

There is a problem with EU PKI efforts and it is called Germany.
In Germany invoices must be signed by qualified signatures which
are personal signatures.   To make this practical, security companies
provide devices that can host dozens of smart cards, all issued for
an "authorized person" who with a single PIN-code can sign
multiple invoices.   This is of course very inefficient and expensive,
and has nothing to do with IT which is about improving processes.

The German PKI schemes and MIT's ECAT  ( http://web.mit.edu/ecat )
top my list of incorrect application of PKI technology. 

In ECAT a client cert is used for merchant login while a server-cert
is used for securing the purchase order to the very same merchant.
What's the logic in that?   In addition, I once demonstrated how
I could hack the merchant login with notepad and some HTML
in spite of using PKI.  It was not due to a bad implementation,
but to a flaw in the architecture itself.   The consortia that once
raised this scheme (OBI) ceased to exist some seven years ago,
including their web-site.

Anders

----- Original Message ----- 
From: "Moudrick M. Dadashov" <md@e-net.lt>
To: "Anders Rundgren" <anders.rundgren@telia.com>
Cc: "Scott Rea" <scott.rea@dartmouth.edu>; <ietf-pkix@imc.org>
Sent: Wednesday, October 29, 2008 20:38
Subject: Re: Random PKI critiques [was: Rationales for CA clearance constraints]


Hi Anders,

This is the publication you might want to look at:

http://ec.europa.eu/idabc/en/document/6484/5644

M.D.
cell: +370-699-26662

On Wed, October 29, 2008 18:58, Anders Rundgren wrote:
>
> <snip>
>>- PIV/CAC
>>Again, the benefit with these credentials is only when there is a broad
>>population base that carries them - the US fed govt is still rolling out
>>this program to its employees. Once critical mass is achieved, I think
>>the benefits of others having these credentials will begin to be
>> realized.
>
> Scott,
> As you probably agree with the Internet-browser has become the primary
> way to interact with just about all kinds of "information systems".
>
> As you probably also agree with, digital signatures is one of the core
> PKI (and thus PIV/CAC) mechanisms.
>
> But, it is a fact that there is no such thing as digital signatures in
> browser
> sessions except through entirely proprietary solutions.  There are
> hundreds
> of such and they are all different and usually require NDAs if you want to
> look a bit closer.
>
> In addition, and this is the really serious part, no authority, government
> body,
> or even academic institution have published anything on how client-side
> PKI should actually work with common information system processes.
>
> It does not IMHO make much difference if we wait another decade or so
> because nothing will actually happen until this very basic job is done.
>
> Anders
>
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic