http://csrc.nist.gov/publications/nistir/nist-IR-7206.pdf
It seems that NIST researchers are doing things in this area.
They have also concluded that the PIV card format is "wrong" and
that PIV needs to get out of its ID-card/badge costume in order to
deliver full value.
Maybe the PIV card's user
d further funding for a secretariat and a small number of editors.
Short-sighted of them.
(Anders: can you identify the security lists, please?)
Peter
Anders Rundgren wrote:
> There has been several suggestions in various security lists that a
> HW token during a CSR (Certificate Signing Re
have store (and use) keys in "strong cases".
Pardon my ignorance, but is there any kind of standard practice for
deploying vendor keys? Links would be higly appreciated.
In addition I would like to know how one could handle such keys from
a PKCS #11 interface.
thanx,
Ander
Picture + PKI
==
>> The idea of mixing a badge for visual inspection with PKI for remote access
>> was a great idea. Ten years ago. Today it only creates problems and should
>> be
>I would tend to agree, using traditional engineering principles.
>But its an enticing social prospect: ta
Peter,
Why not contact these total losers that offers a $234 card reader, apparently
approved by the GSA?
http://www.karbonsystems.com/BlackBerry-SMIME-CAC-products_detail-83.html
Note that Dell PDAs are shipped with a TPM although it is currently disabled.
The idea of mixing a badge for visual i
http://news.com.com/Senate+approves+electronic+ID+card+bill/2100-1028_3-5702505.html?tag=nefd.top
Will Real ID be based on FIPS-201 (or
similar), or is the US government about the only government in the
world to exclude logical access in their ID-cards?
Anders
__
>NIST/PIV has nothing whatsoever to do with physical transmission or the
>physicality of the platform. You can run it on a USB token, a PCMCIA
>token, a harddisk, a TPM, a cell-phone or a tom-tom.
In theory that may be right (I don't lnow that much about 781x standards),
but an "ID-card" will for
Scott,
>1) The CEPS documents were full of "Payments" and we know how successful
>CEPS was.
>2) I don't find "Payments" in many of the IAS/eID/CEN-224 documents
>either.
1+2: It is really something entirely different I am thinking of. It is rather
virtual resources in the spirit of VISA's 3D Se
I have a rather orthogonal comment to this.
If you search for "Payments" or "GPEA" (Government Paperwork Elimination Act)
in the FIPS-201 and SP800 documents you get zero hits.
This part will be the biggest difference between PIV and its yet to be
launched European counterparts.
That is, the wel
- e-Sign, IAS, SIM,
PIV, etc. - on any platform you want and communicate with it using any
communication technology you want.
The physicality of the platform and the communication channel are
totally immaterial.
Cheers, Scott
-Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PR
an banks.
Would be fun to make a device that links the three streams of work together
- NF mobility, plus bio-swipe, plus a NF-based "match-on-peer" - where the
phone's DSP is the peer for performing the match.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:mu
Ok, So lets get political!
To mix physical access based on biometrics with remote (a.k.a. logical) access
based on "keys" is not such a terribly good idea as these uses constrain each
other.
I am almost sure that the Nordic region will not jump into this box, in fact
we once started there in a g
;d know that there is no
evidence whatsoever that Nokia or Motorola creates
better code than Microsoft or IBM. At least Microsoft asks you if you want the
update. The handset manufacturers in collusion with
the operators just push it to your handset whether you like it or not.
And you want me to
on the
Internet rather than in the regulated "phone nets". And then comes
things like WLAN, VoIP, Skype etc. that totally changes the
fundamentals of the business. My guess is that big organizations
will not accept that their employees use expensive operator-
controlled lines if they alre
Another, somewhat related thought experiment:
http://web.telia.com/~u18116613/TheUniversalAccessControlCard.pdf
Anders R
- Original Message -
From: "Peter Williams" <[EMAIL PROTECTED]>
To: "MuscleCard Mailing List"
Sent: Sunday, February 27, 2005 05:14
Subject: [Muscle] Re: .Net remoti
Somewhat off-topic but assume that you wanted to switch frm MSIE to
Mozilla but actually do not want to change anything else including
card drivers etc. Wouldn't that require Mozilla to add CryptoAPI
support?
Anders R
___
Muscle mailing list
Muscle@list
er". Or maybe,
define an initial form factor and interface, but leave the door open to
other schemes like the ones the Trusted Computing Group are working
with.
Regards
Anders Rundgren
Developer of mobile security technology
___
Muscle maili
http://www.motorola.com/mediacenter/news/detail/0,,4762_4058_23,00.html
___
Muscle mailing list
[EMAIL PROTECTED]
http://lists.drizzle.com/mailman/listinfo/muscle
>>Bad way: Having the user / card / device recognize the
>>authenticity of ATM. Using PKI that would require the
>>root(s) of ATM PKIs be carried around. Will not happen. Ever.
>Why not? Let's say I want to do business with bank XYZ. So I get a
>certificate from their CA, and put it in my trus
>Perhaps I used the wrong choice of words. Symmetric keys can't scale to
>2 billion users. Assymetric keys are necessary. I don't mean that a
>fully integrated PKI is necessary. But some infrastucture may be
>needed if one is going to trust a strange system.
Although desirable, such requirements
Bruce,
NFC is a *consumer* oriented solution. Such solutions by definition
do not even try to solve all problems you describe. That the device
would authenticate to the reader is out of scope in that realm. You
should rather compare this to WLAN connections.
There are no share secrets as that d
Bruce,
Since I to some extent work with this I may provide some answers.
NFC's main contribution is really "only" to initiate a secure WLAN,
Bluetooth, or UWB link between a smart device an a contact point
of some kind. A possible session state is only in the link.
Due to the short range security
ginal Message -
From: "Welson R. Jacometti" <[EMAIL PROTECTED]>
To: "MUSCLE" <[EMAIL PROTECTED]>
Sent: Wednesday, September 15, 2004 21:47
Subject: Re: [Muscle] NFC - A killer technology
Hello guys,
I used to love Bitnet flames. Please let's start one here!
et of N in an industry, they will form a
forum to declare their proprietary twonkies to be the industry standard.
Yawn.
Cheers, Scott
-Original Message-
From: Anders Rundgren [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 15, 2004 2:50 PM
To: [EMAIL PROTECTED]
Subject: [Muscle] NFC
http://www.nfc-forum.org
Finally, a technology that is produced by major companies
that really solves not just a single problem but a huge number
of completely different problems, ranging from WLAN access,
calendar synchronization, to card reader "emulation".
Only a universal technology like this
others.
It of course has ZERO support in Scandinavia.
- Original Message -
From: "Anders Rundgren" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; "Peter Tomlinson" <[EMAIL PROTECTED]>
Sent: Sunday, May 23, 2004 21:18
Subj
ey have no limits on what they can do and
it will be much cheaper than a single-function biometric-
only card. It is not even certain that ID-cards will limit
terrorism, as terrorists nowadays seem to be legal aliens.
The heat is on (the ID market).
Ander
I feel that they (the UK) have yet to address one crucial issue:
Electronic IDs and physical IDs do not have to share
format. Due to the fact that physical IDs nowadays need
special equipment in order to verify their genuineness, it
seems that the value of card-formatted credentials is slowly
but
I once participated in a smart card effort called SEIS.
The outcome was PKCS #15.
Question: Is PKCS #15 a core part of Muscle and JavaCards?
Anders R
___
Muscle mailing list
[EMAIL PROTECTED]
http://lists.drizzle.com/mailman/listinfo/muscle
From a recent Intel pressrelease:
The Intel PXA27x family of processors, formerly
code-named "Bulverde," adds a number of new technologies to address the needs of
cell phone and PDA users. It is the first product to integrate the Intel
Wireless MMX technology, providing additional performan
ation.
But who else can use that back door?
And can that card securely host your private signing key?
Peter
- Original Message -
From: "Anders Rundgren" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "David Everett" <[EMAIL PROTECTED]>
Sent: Sunday,
bject: Re: [Muscle] A combined EMV and ID card
Who issues and manages and guarantees the ID information on the card? The
bank? Or the government? That is absolutely crucial.
Anders: Do you know any details of the technology used for the ID?
Peter
- Original Message -
From: "Anders
scle] A combined EMV and ID card
Who issues and manages and guarantees the ID information on the card? The
bank? Or the government? That is absolutely crucial.
Anders: Do you know any details of the technology used for the ID?
Peter
- Original Message -
From: "Anders Rundgren"
eed for secure "payment-tokens" if we restrict the scope to
Internet-payments.
Just my 0.2 EUR
Anders Rundgren
Consultant, PKI & e-Business
+46 70 - 627 74 37
___
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle
Some interesting info from another list
It is interesting to note that the use of a single key-pair for
multiple certificates still is fairly often touted by promoters
of smart cards. Usually due to limitations in private key storage
and generation.
Anders
PS I never thought this was a such a g
>From: "Prágai Róbert" <[EMAIL PROTECTED]>
>viva la WIM (Wireless Identity Module) cards, where even
>strong hardware based cryptography could be achieved if the mobile
>OS enabled to use it. (I have bad experiences with Symbian.)
>I just wonder why the vendors do not let the market to
>us
>From: "Bettina Martelli" <[EMAIL PROTECTED]>
>I really don't understand this contraposition between
>smart cards and mobile phones as "virtual" cards.
>In each mobile phone there is a "real" smart card inside,
>the SIM. Insofar a mobile phone ist just equivalent to
>card + reader + some logic + m
>> > I say it one more time: The smart ID card is dead and gone.
>> > It is beyond repair.
>Dr Russel Winder wrote:
>If the smart ID card is dead and gone why are so many governments
>putting large projects together to make such cards a reality. What
>makes you say it is dead and gone?
I hope y
http://www.visa-asia.com/getacard/visa_mini_faq.shtml
Now we have contact and contact-less, regular and USB,
and "Asian-sized" cards.
What the card business needs is either Kofi Annan or
George W. Bush. Or both maybe :-)
An advantage with mobile phone based virtual SCs, is
that they can have a
http://www.visa-asia.com/getacard/visa_mini_faq.shtml
Now we have contact and contact-less, regular and USB,
and "Asian-sized" cards.
What the card business needs is either Kofi Annan or
George W. Bush. Or both maybe :-)
An advantage with mobile phone based virtual SCs, is
that they can have a
>Again, you need to revisit your model. Infrastructure will be funded out of
>several pots, smart media out of several pots. The important infrastructure
>is that paid for by the public sector - immigration, police, social
>security, etc. Here in the UK we intend to charge UKP 30 for the cards
>(bu
ne), or sell a ticket using a purse on the
card, or decrement a carnet of tickets - this is for passage through gates.
For sales at a vending machine, they want to take advantage of the same fast
transaction time to allow you to just wave your card past the reader's
aerial (rather than put the
ther vendor that provides the reader.
As this technology broadens, we may open ourselves up
to problems we had with contact based cards a few years ago.
Best Regards,
Dave
On Mar 5, 2004, at 1:14 AM, Anders Rundgren wrote:
> http://www1.chinadaily.com.cn/en/doc/2003-10/15/content_272271.htm
&
is beyond repair.
It is like X.500 versus the Web.
Or OSI versus TCP/IP.
Or BetaMax versus VHS.
I saw it happen in "slow-motion"...
regards
Anders Rundgren
___
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle
card
holder
> is the card issuer.
>
and
>Trust is not transitive. The only multitrust token that will ever fly is
the white card.
Then Anders Rundgren wrote:
> That means that you in essense say that TTPs don't work. We already use
TTPs
> since a long time ago for physical I
- Original Message -
From: "Peter Tomlinson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 12, 2004 09:34
Subject: Re: [Muscle] White Card
>First, in the study that I worked on, govts are not seen as TTPs except for
>each other - i.e. the idea is that you can (within
- Original Message -
From: "Scott Guthery" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, January 12, 2004 02:07
Subject: [Muscle] White Card
>Does anyone really wonder why the European card model never gets beyond
>the "Hey, kids! Let's write another sma
Extract from an FAQ for an on-line e-signature standards
proposal in progress (note that the following does not apply
to EMV etc. that is stuck in an off-line world paradigm):
...That is, DRY Signatures are neither useful nor intended to be used
where the signature requester is unknown or ma
new markets, (b) how many of those new markets they have
an early lock on.
I need to get back to work, now. Less Marketing, more Programming.
Peter.
>From: "Anders Rundgren"
>Reply-To: [EMAIL PROTECTED]
>To:
>Subject: Re: [Muscle] On-line signature standards
>Date: Fri, 3
Peter Williams [EMAIL PROTECTED] wrote:
>With Phillips now shipping the low-power
>802.11b chips for use in GSM handsets, you will
>soon see the SIM chip of your phone authenticating
>to merchant terminals much as we now authenticate by presenting
>a ICC on a plastic carrier to a swipe/smartcard
"Martin Buechler" <[EMAIL PROTECTED]> wrote:
>Just for clarification: What do you define as 'signing on-line data on
>the web using Internet browsers' and where could one find an example?
The scenario is that you are connected to an on-line service like a bank
and at a certain phase have to aknow
rt card).
Talking about CEN/ISSS, the following may be of interest...
- Original Message -
From: "Ketchell John" <[EMAIL PROTECTED]>
To: "Anders Rundgren" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, October 30, 2003 11:37
Subject: R
n entirely proprietary mechanisms.
Most of the vendors even require NDAs for getting the documentation.
Anders Rundgren
___
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle
A somewhat naive question but are there any open source
software for the EMV 2000 standard?
EMV = Europay, Mastercard and VISA.
Anders
___
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle
Dear List,
pardon the "politics". Unless there is a big interst in this issue,
I will refrain from further comments.
- Original Message -
From: "Peter Tomlinson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 14, 2003 08:19
Subject: Re: [Muscle] PTDs vs. Smart Cards:
ill be comparatively
easy to migrate to use HW-based security in 3-4 years from now.
Anders Rundgren
___
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle
56 matches
Mail list logo