Re: On-line signature standards

With Phillips now shipping the low-power

802.11b chips for use in GSM handsets, you will

soon see the SIM chip of your phone authenticating

to merchant terminals much as we now authenticate by presenting

a ICC on a plastic carrier to a swipe/smartcard reader. (IE.

finally we will have broken the smartcard US adoption barrrier:

removal of the cost of the consumer reader!)

 

Phones have keyboards, finger-readers, already. Making

these devices secure, wrt to the SIM, in generally available 

designs will not be long coming. The J2ME in the handset can

already authenticate with the javacard on the SIM to create the

trusted channel. The SIM can then mutually  authenticate itself

to the station, end-to-end, using a WPA-protected  channel as a

very local range bearer.

Two things have changes recently since we started on all this, 11

years ago (a) MS ships signed XML forms with Office 2003 making

soon making signed web posting support ubiquitous, and

(b) the already ubiquitous GSM SIM will soon reach out beyond

securing the handset to the cell provider,  to also authenticate

to application-centric terminals at merchants, etc.

 

Im very impressed by the card edge protocol, and its

implementations here.  Very simple, compared to PKCS#15,

and reminds of the very first 16 bit PCMCIA Fortezza crypto

card  model.

 

>From: "Anders Rundgren"

>Reply-To: muscle@xxxxxxxxxxxxxxxxxxxx

>To:

>Subject: Re: [Muscle] On-line signature standards

>Date: Fri, 31 Oct 2003 06:06:40 +0100

>

>"Peter Tomlinson" wrote:

>

> >Isn't it time to move from signing in a totally insecure software

> >environment (as are most PCs in the world)?

>

>The problem is that the card has no display. To rely on the

>broad acceptance of FINREAD is essentially equivalent to

>holding back e-goverment services for some 10 years or so.

>I do believe that it is possible to protect the OS in a shorter

>timeframe than that. In the mean-time we have to live with

>what we got at hand. To perform crypto inside the card is

>of course both possible and definitely a part of my plot.

>(although the "card" will in my view be an integral part

>of a mobile device rather than a credit-card-sized thing)

>

>My request for a standards effort has been acknowledged by

>DoD, Boeing, RSA, and Microsoft so there might be something

>even in the works before year-end.

>

> >CEN/ISSS signature CWAs have been listed in the

> >Offical Journal as officially recognised specifications -

> > but they relate to signing with smart cards (and there IS

> >work being done on secure terminal devices to handle

> >both the online transaction and the hashing before signing

> >with the smart card).

>

>Talking about CEN/ISSS, the following may be of interest...

>

>----- Original Message -----

>From: "Ketchell John"

>To: "Anders Rundgren" ;

>Sent: Thursday, October 30, 2003 11:37

>Subject: RE: Final report of the e-invoicing Focus Group

>

>

>Anders

>

>Let's do this in Europe, in CEN/ISSS...

>

>Despite the scepticism that is sometimes expressed about our limited

>European efforts, I think we are beginning to find understanding that the

>much-vaunted global consortia do not get their act together enough.

>Either they too are populated by nerds, or by IPR lawyers arguing amongst

>themselves. The end-user and the European voice are often non-existent.

>In private at least, many IT vendor companies are sharing this view - the cost

>to them of the "system" at a time of recession is too great.

>

>If we can get a reasonable critical mass of market players together,

>including obviously some public authorities, all we need is a Business Plan

>for the activity, and some funding - we're a lot cheaper than consortia anyway.

>We can work as quickly as consortia do (sometimes quicker) and THEN

>project the results at global level wherever is necessary. As one current

>example, we just started a much-needed e-business classification project

>with the full support of all the main global players in this domain.

>

>Over to you.

>

>

>

>Best regards

>John Ketchell

>Director, CEN/ISSS - Information Society Standardization System

>

>URL:http://www.cenorm.be/isss

>

>Rue de Stassart, 36

>B-1050 Brussels

>Belgium

>email (direct) john.ketchell@xxxxxxxxx

>email (secretariat) isss@xxxxxxxxx

>Tel (direct) + 32 2 550 08 46

>Tel (secretariat) + 32 2 550 08 13

>Fax + 32 2 550 09 66

>Tel (GSM) +32 475 594 828

>

>

>-----Original Message-----

>From: einvoicing List ISSS - CENORM created 22 October 2002 [mailto:EINVOICING@xxxxxxxxxxxxxxxxxx] On Behalf Of Anders Rundgren

>Sent: Wednesday, October 29, 2003 9:59 AM

>To: EINVOICING@xxxxxxxxxxxxxxxxxx

>Subject: Re: Final report of the e-invoicing Focus Group

>

>When talking about "signed" invoices, I could not resist

>copying the results gathered from the IETF-PKIX, IETF-SMIME,

>and the OASIS PKI-TC lists regarding the current state of standards

>in this area:

>

>=====================================================

> There are apparently no standards and nothing in the works either

> with respect to signing on-line data on the web using Internet browsers.

>=====================================================

>

>Since web-signing is today [*] used by many, many, more people

>and organizations than there are users of signed e-email, I remain puzzled.

>

>Is the PKI community really just a bunch of "nerds", mostly out of

>touch with the needs of the market?

>

>And what good is a legal framework like the EU signature directive,

>intended to address "legal interoperability" if there is no interoperability

>in the technical solutions?

>

>"The truth is [still] out there" to travesty a famous TV series.

>

>However, my request spurred quite a lot of interest, so I believe that web-

>signing really is a thing that finally will be standardized. The question

>is more by who, as the major interest is really coming from the public

>sector, not from commercial entities like banks, that rather protect their

>investments in proprietary solutions. I personally plan to pusue such

>a task in W3C or in OASIS in case somebody is interested.

>

>*] Like Scandinavian banks having > 0.5M of users.

>All current systems rely on entirely proprietary mechanisms.

>Most of the vendors even require NDAs for getting the documentation.

>

>Anders Rundgren

>

>_______________________________________________

>Muscle mailing list

>Muscle@xxxxxxxxxxxxxxxxxxxx

>http://lists.musclecard.com/mailman/listinfo/muscle

---

 Concerned that messages may bounce because your Hotmail account has exceeded its 2MB  storage limit? Get Hotmail Extra Storage!