Building Communities of Trust on Smart Credentials

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

Talking Smart Card, PKI and PIV Use Across Public and Private Boundaries with Entrust

In the U.S., smart cards are generally found in enterprise or government settings. In regions like Europe and Asia/Pacific Rim, consumers and citizens are much more likely to carry smart cards for financial transactions or personal IDs. Consumers have pushed technologies like instant messaging, social networks and smart phones into enterprise environments; is there potential for smart card-carrying individuals to influence how enterprises use digital certificates and credentials?

For some answers to that question, as well as to further explore how individual citizens and private sector employees might interact with FIPS-201 Personal Identity Verification (PIV) interoperable or compatible credentials, we spoke with Nora Cox, senior manager, product management, and Mark Joynes, director of product management, at Entrust. Entrust has
been a force in national ID solutions in Spain, Canada and Saudi Arabia. In addition, it's a Shared Service Provider for the U.S. federal government, approved to issue digital certificates for PIV.

What follows is a transcription of our telephone conversation, edited for clarity and accurac
y.

***

Sharon J. Watson, Security Squared: Let's talk about the potential ubiquity of smart cards for government or personal identification cards. I'm exploring whether, say, private enterprises could somehow use a smart national ID credential for transactions, or how something like a PIV credential might be used outside of government circles by individuals.

Nora Cox, Entrust: A lot of large digital certificate deployments are happening today and have been happening. I think we did Spanish ID about five years ago. That was a 40 million citizen deployment. The government is certainly leading edge in driving a lot of those large deployments.

There are absolutely opportunities for additional benefits with respect to PKI because once you have that basic infrastructure in place, you can do a lot, like securing logical access, encrypting e-mail, authentication to systems or resources, digitally signed documents.

Mark Joynes, Entrust: That's pervasive around the globe. Spanish ID is one example, the Saudi national ID is another good example where Entrust is the PKI in place. There are definitely a variety of these. We certainly see in pockets around the world how the private sector is starting to look at a shared identity infrastructure to some extent, whether that is a government ID being leveraged in private circumstances or possibly an ID created within a banking or finance vertical that may be taken as an identity employed within government. So there is definitely some cross pollination.
Nora: When you look at Spanish ID, that's a classic example of where digital certificates and the security infrastructure are enabling [cross pollination]. First of all, you securely identify the citizens. Then once you've issued them an electronic ID card, you can use that credential with other citizens, with businesses and with government agencies.

One of the things Spanish ID had in its mandate was to try to get private enterprise to use the digital certificates as well, so you start to see the huge benefit of having a centralized infrastructure that is there for all to use. That's an extremely compelling business case.

Mark: It's not true for all parts of the world, but there's something to be said for an identity that is delivered by way of a police officer. National identities in a lot of countries are issued through that arm of government, so you've likely got a very strong binding of the individual to the document when it's been delivered by that channel.

Sharon
: Let's talk about that, Mark. The FIPS 201 standard calls for very strong vetting procedures to ensure there is that strong binding. I've heard that is a stumbling block for private enterprises who don't want to pay for that level of identity proofing. I've even heard a couple intimations it's becoming an issue with some federal agencies that may be massaging those standards to their budgets. [Vetting] seems such a fundamental piece but how do you ensure that vetting is such that everyone will accept it?

Nora: That's an excellent point. In general, to be establishing communities of trust, you really have to have a common mechanism--standardization, really--of how you are ensuring that Mark is who he says he is or that Nora is who she says she is. The verification process is critical to a lot of different communities of trust. Whether that's the federal environment through Common Policy or whether it's what we call the non-federal environment--energy companies or hospitals or any other non-federal organization--or even state government, where they want to be able to communicate securely with the federal environment...you have to have some common standards that are used to identify people before allowing them to have a credential to communicate with everybody else.

Certainly the Common Policy has a set of assurance levels, and in each of those assurance levels there are requirements associated with the vetting. For example, you have medium assurance: you need to have a face-to-face meeting to hand over your government ID with a picture on it (or 2 non-federal IDs, one of which is a photo ID). There's a set of things you must do and in so doing, you confirm who you are to the person who is vetting you in person. It could also use notaries for that same process.

There are certainly a set of common tools, a common set of assurances that are used across communities of trust. Where it gets interesting is in a commercial environment. That can be an expensive process, getting people verified to face-to-face levels every time. It may not be very feasible. With our hosted service, we take a boot strap approach where the first person is identified by ourselves or a notary and then that person turns around and would be doing the verification and vetting for a number of local registration authorities within an organization. Those people then turn around and do the vetting of the end users. So it becomes less expensive.

Mark: It's all tied to the value of the information or the value of the services that are going to be obtained or accessed by that identity. That's why there are various levels of assurances associated with those processes. It could be that within the commercial arena, there's not the same understanding and acceptance of those requirements. It may also be that in some arenas there's not the same level of value or risk or impact associated with use and misuse of such credentials.

To Nora's point, it really does need to be a common standard that people live to because as soon as you have an identity, it's pretty quickly forgotten how you came about getting it. It just gets used. You really do have to have the assurance when you are accepting someone's identity that it was obtained appropriately.

Nora
: One thing I would add, Sharon, in terms of commercial: when you've got commercial organizations looking to communicate with the federal government, trying to join this community of trust through the Federal Bridge certificate authority, you'll find there will be some individuals within that commercial organization that will need to be vetted to a medium assurance level and have all of the bells and whistles that go with that vetting.

Probably a large part of that organization might be at a much lower assurance level, such as basic or rudimentary, so there can be much more cost effective ways [of vetting] or in some cases, [employees might] not even need to get the credential. It really depends on the value of the transaction, in looking at how important it is that you be absolutely sure of whom you are dealing with.

Mark: I'm going to generalize: In any infrastructure, as more and more applications come online, as access to applications broadens and the net sensitivity of what you are accessing rises, the net requirement for level of assurance is going to rise as well.

Page:   1   2   3  Next  »

Talking Smart Card, PKI and PIV Use Across Public and Private Boundaries with Entrust

In the U.S., smart cards are generally found in enterprise or government settings. In regions like Europe and Asia/Pacific Rim, consumers and citizens are much more likely to carry smart cards for financial transactions or personal IDs. Consumers have pushed technologies like instant messaging, social networks and smart phones into enterprise environments; is there potential for smart card-carrying individuals to influence how enterprises use digital certificates and credentials?

For some answers to that question, as well as to further explore how individual citizens and private sector employees might interact with FIPS-201 Personal Identity Verification (PIV) interoperable or compatible credentials, we spoke with Nora Cox, senior manager, product management, and Mark Joynes, director of product management, at Entrust. Entrust has
been a force in national ID solutions in Spain, Canada and Saudi Arabia. In addition, it's a Shared Service Provider for the U.S. federal government, approved to issue digital certificates for PIV.

What follows is a transcription of our telephone conversation, edited for clarity and accurac
y.

***

Sharon J. Watson, Security Squared: Let's talk about the potential ubiquity of smart cards for government or personal identification cards. I'm exploring whether, say, private enterprises could somehow use a smart national ID credential for transactions, or how something like a PIV credential might be used outside of government circles by individuals.

Nora Cox, Entrust: A lot of large digital certificate deployments are happening today and have been happening. I think we did Spanish ID about five years ago. That was a 40 million citizen deployment. The government is certainly leading edge in driving a lot of those large deployments.

There are absolutely opportunities for additional benefits with respect to PKI because once you have that basic infrastructure in place, you can do a lot, like securing logical access, encrypting e-mail, authentication to systems or resources, digitally signed documents.

Mark Joynes, Entrust: That's pervasive around the globe. Spanish ID is one example, the Saudi national ID is another good example where Entrust is the PKI in place. There are definitely a variety of these. We certainly see in pockets around the world how the private sector is starting to look at a shared identity infrastructure to some extent, whether that is a government ID being leveraged in private circumstances or possibly an ID created within a banking or finance vertical that may be taken as an identity employed within government. So there is definitely some cross pollination.
Nora: When you look at Spanish ID, that's a classic example of where digital certificates and the security infrastructure are enabling [cross pollination]. First of all, you securely identify the citizens. Then once you've issued them an electronic ID card, you can use that credential with other citizens, with businesses and with government agencies.

One of the things Spanish ID had in its mandate was to try to get private enterprise to use the digital certificates as well, so you start to see the huge benefit of having a centralized infrastructure that is there for all to use. That's an extremely compelling business case.

Mark: It's not true for all parts of the world, but there's something to be said for an identity that is delivered by way of a police officer. National identities in a lot of countries are issued through that arm of government, so you've likely got a very strong binding of the individual to the document when it's been delivered by that channel.

Sharon
: Let's talk about that, Mark. The FIPS 201 standard calls for very strong vetting procedures to ensure there is that strong binding. I've heard that is a stumbling block for private enterprises who don't want to pay for that level of identity proofing. I've even heard a couple intimations it's becoming an issue with some federal agencies that may be massaging those standards to their budgets. [Vetting] seems such a fundamental piece but how do you ensure that vetting is such that everyone will accept it?

Nora: That's an excellent point. In general, to be establishing communities of trust, you really have to have a common mechanism--standardization, really--of how you are ensuring that Mark is who he says he is or that Nora is who she says she is. The verification process is critical to a lot of different communities of trust. Whether that's the federal environment through Common Policy or whether it's what we call the non-federal environment--energy companies or hospitals or any other non-federal organization--or even state government, where they want to be able to communicate securely with the federal environment...you have to have some common standards that are used to identify people before allowing them to have a credential to communicate with everybody else.

Certainly the Common Policy has a set of assurance levels, and in each of those assurance levels there are requirements associated with the vetting. For example, you have medium assurance: you need to have a face-to-face meeting to hand over your government ID with a picture on it (or 2 non-federal IDs, one of which is a photo ID). There's a set of things you must do and in so doing, you confirm who you are to the person who is vetting you in person. It could also use notaries for that same process.

There are certainly a set of common tools, a common set of assurances that are used across communities of trust. Where it gets interesting is in a commercial environment. That can be an expensive process, getting people verified to face-to-face levels every time. It may not be very feasible. With our hosted service, we take a boot strap approach where the first person is identified by ourselves or a notary and then that person turns around and would be doing the verification and vetting for a number of local registration authorities within an organization. Those people then turn around and do the vetting of the end users. So it becomes less expensive.

Mark: It's all tied to the value of the information or the value of the services that are going to be obtained or accessed by that identity. That's why there are various levels of assurances associated with those processes. It could be that within the commercial arena, there's not the same understanding and acceptance of those requirements. It may also be that in some arenas there's not the same level of value or risk or impact associated with use and misuse of such credentials.

To Nora's point, it really does need to be a common standard that people live to because as soon as you have an identity, it's pretty quickly forgotten how you came about getting it. It just gets used. You really do have to have the assurance when you are accepting someone's identity that it was obtained appropriately.

Nora
: One thing I would add, Sharon, in terms of commercial: when you've got commercial organizations looking to communicate with the federal government, trying to join this community of trust through the Federal Bridge certificate authority, you'll find there will be some individuals within that commercial organization that will need to be vetted to a medium assurance level and have all of the bells and whistles that go with that vetting.

Probably a large part of that organization might be at a much lower assurance level, such as basic or rudimentary, so there can be much more cost effective ways [of vetting] or in some cases, [employees might] not even need to get the credential. It really depends on the value of the transaction, in looking at how important it is that you be absolutely sure of whom you are dealing with.

Mark: I'm going to generalize: In any infrastructure, as more and more applications come online, as access to applications broadens and the net sensitivity of what you are accessing rises, the net requirement for level of assurance is going to rise as well.

<!--nextpage-->

PIV Without Borders

Nora
: A couple of years ago, I was asked for quotes on PIV credentials for UK police. There were a large number of different divisions but they wanted to have what I would call PIV compliant or compatible type of credentials. They liked the way it was done in the U.S.

Mark
: Did that go?

Nora: I don't think so, but certainly there was interest, and we were hoping to see if that was going to be one of those cross pollination type things...the Canadian government was looking at this a bit, too. It may very well be, Sharon, that it will still have pollination across different countries, not just the U.S., but I think it will take some time.

Mark
: In Europe they are generally further ahead in smart card use, in multi-application use within cards. There's starting to be sort of cross pollination between government applications and private sector applications, probably residing on the same card, primarily government-financial. There's certainly no reason it can't go beyond that. I think you will see reuse of the technology in the enterprise, especially around the smart cards for access control, both physical and logical.

Nora: As we talked about at RSA, leveraging that PIV card for both physical and logical access is what's going to give you that return on investment. It's going to give you a reduction in credential management system costs as well as in associated helpdesk type tasks because you're using one credential, not two.

The general idea with PIV I or PIV C is you want to be able to ensure there can be that cross-government communication between local, state and federal governments. We've certainly seen an interest in PIV credentials from energy because they want to be able to report into the federal energy regulatory commission, they have to do regular reporting to confirm that they are in good shape with their deployments.

The State of Illinois certainly uses the credentials to report into the federal government on things like EPA and their waste management. They use it for all kinds of stuff

Mark
: This is all fundamentally because of the trust infrastructure that's in place via the U.S. Federal Bridge architecture. So it really does make sense for these other organizations to leverage that same standard. They've got these communication obligations to deal with, which they can do in a trusted fashion, and know it will be validated throughout the architecture. Certainly in the U.S. environment, that makes it relatively easy to extend it more across verticals.

Nora
: The State of Illinois, for example, is cross certified with the Federal Bridge. They did that about six years ago, in 2004. They just saw lots of benefits in going with federal PKI, and they've been doing online reports for a long time.

Whether you're talking first responder authentication credential (FRAC) requirements for emergencies, fires, disasters or whether just dealing with day-to-day or month-to-month reporting, there's a lot of need for being able to interact across government levels and industry levels.

Mark: That enterprise that has a responsibility or obligation to report to government, that's an extension of government as enterprise if you will. I'm not sure to what extent FIPS-201 actually would get reused in the private sector.

Nora: Energy would be the private sector. They need to be able to communicate reporting into the federal government. Whether you call education private sector, they are looking to do a lot of communication with the government in terms of scholarship and funding.

Mark: It's interesting. You're seeing it come from a very pure government application into all of the extended government communications--education and industries with reporting requirements.  I don't know if it happened, but within the U.S. federal government, there was talk of merging banks into the E-authentication initiative. I don't that actually materialized. But the notion was there. So people are certainly thinking along those lines.

<!--nextpage-->

Sharon: I read an article on your website about the State of Illinois. It's a couple of years old now but it was interesting: they made digital certificates available to citizens that needed to transact business with the government. It wasn't quite clear to me how much been uptake there was with private citizens.

Nora: The State of Illinois, as of a couple years ago, had over 107,000 credentials issued so there are a fair number of citizens in that. For FRAC, they focused on law enforcement and emergency support personnel, being able to ensure all the police, medical personnel and fire fighters had credentials.

Mark
: Another example of citizenry leveraging certificates for online transactions is in Canada. About 60 applications in the Canadian government require certificate authentication: applying for a passport online, tax submissions, shipping companies offshore with goods coming into Canadian seaports can access online applications that have been authenticated to report on the materials coming in to the country.

In terms of citizens themselves, there are about 6 million identities out there for online tax submissions.

Nora
: The State of Illinois issues certificates for government to citizens and government to business and government to government so they're covering all three. They are interesting in that they started with an enterprise type approach, enterprise meaning all of the State of Illinois. Then PIV became much more prevalent after they deployed so they started issuing FRAC credentials. They did the reverse of what we see a lot of the states are going to do, which is start with PIV for FRAC and extend that within their state to do secure e-mail or encryption of documents or document signing, that sort of thing.

Sharon
: Please forgive me if this is a stupid question: if the State of Illinois makes a digital certificate available to me to use to file my [personal] state income tax returns, and I work for a [private] company, is there some way that business can leverage the fact that I have a digital certificate with the state? Or are those relationships just different pools of transactions?

Nora: It depends on what the state put in [its certificate usage subscriber agreement.] Quite often, what will be in a subscriber agreement is that you as a citizen of Illinois get a certificate, but you can only use for State of Illinois-related activities.

The other thing that gets tricky is how does the other organization you want to use the certificate with know to trust you? The State of Illinois issued you the certificate. So you have to give the certificate from the State of Illinois to the other organization and they would have to trust that. So there's a whole trust infrastructure behind it.

If Mark and I are in two different companies, and I want to be able to sign a document and send it over to him and have him be able to verify the document really came from me, that the data in it hasn't changed, he needs to have something that traces back to the certificate authority that issued my certificate to confirm there is a binding there.

Mark
: So if you have a certificate issued by the state of Illinois, you will be all right transacting business as long as you're dealing with somebody who has a trust linkage back into the State of Illinois where State of Illinois policy allows that validation to occur.

Nora
: We talked about communities of trust. A lot of different organizations are trusting one another in a broader community because they're all trusting the Federal Bridge Certificate Authority. Illinois ties into that, and that can open up a lot of trust within government agencies and others who are cross-certified with the Federal Bridge.

Sharon
: So the Federal Bridge vouches for you and says yes, we trust this credential, the certificate, therefore yes, you should trust it.

Nora: That's the whole idea of the common identification platform. You've got it.

Sharon: But I guess there's nothing like that for the private enterprise sector...

Mark: There are examples of bridge infrastructure specifically for sectors within...

Sharon
: I should take that back. There's SAFE for biopharma and EduCause for education--those are similar ideas, right?

Mark: There's CertiPath and areas associated with the defense industry, transportation...

Nora: So those are more industry-centric but to your point about the private industry, keep in mind that with that non-federal certification to the Federal Bridge, you could bring in industries like energy and education, and they could also be getting credentials that are part of that community of trust.

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/221

Leave a comment