Jump to content

National Strategy for Cyberspace Trusted Identity

ebrke
 Share

Recommended Posts

ross549

ross549

Posted
Posted

This story is making its way around the internet and is slightly misleading.

 

Here's the fun fact. The US Gov't has been doing this for a long time. The US Military has CAC/PIV deployed to all personnel which rolled out about a decade ago. This system works very well for identity verification, which is used for sites that have some sort of security or access control need. Example: I can access my earning statements (pay stubs) via a website that uses my CAC to log in.

 

On my CAC is an encrypted identity certificate. When I attempt to access a site that uses the system, a window comes up that asks for my PIN (6-8 digits). The PIN decrypts the certificate on the card, and the identity certificate is passed to the requesting server, which checks with a certificate authority to verify authenticity. Once verified, I am granted access to the site.

 

If the card is lost/stolen, I immediately report the loss and the certificates are revoked and I am issued new certificates. This all work very much like the public/private key system used in SSL/TLS , which is called PKI. What is also nice is that the system is two-factor, meaning one must possess the card and the PIN to be able to use the certificate and verify identity.

 

We discussed this on the JimmyLee and Bambi show this last weekend. This system would be great for sites that need to be VERY secure, such as financial institutions, sites with medical data, etc. The real concern is not using an identity system on those sites, but mandating its use elsewhere. I'm on the fence with this one, as this system could easily replace usernames/passwords (and it has in many places in the military). It is very convenient.

 

Adam

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Absolutely. Although, I don't see how it could be enforced for servers outside the United States. We'd see a rapid migration out of the states if that happened.

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

I agree ebrke. It is just one more area where we are conditioned to think ease of use is more important than privacy and freedoms. Sadly it worked with Touch ID didn't it. Eventually we will all see the folly in first providing a way to 'identify' yourself uniquely, and eventually it will be required. Then everyone will get onboard.

 

Like Trusted Computing...

 

I think back to Hitler's regime and what they did with just punch cards and making being an informant against family and friends a so called good thing, a patriotic thing.

Edited by LilBambi
Link to comment
Share on other sites
amenditman

amenditman

Posted
Posted (edited)

I think back to Hitler's regime and what they did with just punch cards and making being an informant against family and friends a so called good thing, a patriotic thing.

Or 1984!

There's a scary piece of prediction for you! He was off a little in the year, but a pretty accurate prediction of human nature/government interaction.

Edited by amenditman
  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...