Discussion:
NSTIC and Passwords
Anders Rundgren
2012-06-10 06:03:07 UTC
Permalink
*<http://www.linkedin.com/groups?viewMemberFeed=&gid=3747110&memberID=3791951&goback=%2Egmp_3747110> *

http://news.cnet.com/8301-1009_3-57450025-83/linkedin-posts-update-on-password-leaks
<http://www.linkedin.com/redirect?url=http%3A%2F%2Fnews%2Ecnet%2Ecom%2F8301-1009_3-57450025-83%2Flinkedin-posts-update-on-password-leaks&urlhash=yLJc&_t=tracking_disc>

It is (to me at least) pretty obvious that NSTIC [1] won't get far unless the technology for authenticating on the Internet takes another major step forward!

Related: Internet payments using credit-cards still rely on "User IDs" (Card Numbers) and "Passwords" (CCVs) printed in clear on the cards.

Since giant players like FB and LinkedIn as well as the international banking community apparently can't fix this, one wonders how a somewhat obscure government program like NSTIC intends dealing with
this gaping hole in the arsenal.

Anders

1] http://www.nist.gov/nstic
Henry Story
2012-06-10 06:15:22 UTC
Permalink
Post by Anders Rundgren
*<http://www.linkedin.com/groups?viewMemberFeed=&gid=3747110&memberID=3791951&goback=%2Egmp_3747110> *
http://news.cnet.com/8301-1009_3-57450025-83/linkedin-posts-update-on-password-leaks
<http://www.linkedin.com/redirect?url=http%3A%2F%2Fnews%2Ecnet%2Ecom%2F8301-1009_3-57450025-83%2Flinkedin-posts-update-on-password-leaks&urlhash=yLJc&_t=tracking_disc>
It is (to me at least) pretty obvious that NSTIC [1] won't get far unless the technology for authenticating on the Internet takes another major step forward!
I recently argued that one could use WebID for eCommerce in this presentation
given at the European Identity conference

http://bblfish.net/blog/2012/04/30/
Post by Anders Rundgren
Related: Internet payments using credit-cards still rely on "User IDs" (Card Numbers) and "Passwords" (CCVs) printed in clear on the cards.
Since giant players like FB and LinkedIn as well as the international banking community apparently can't fix this, one wonders how a somewhat obscure government program like NSTIC intends dealing with
this gaping hole in the arsenal.
Anders
1] http://www.nist.gov/nstic
Social Web Architect
http://bblfish.net/
Anders Rundgren
2012-06-10 16:44:43 UTC
Permalink
Post by Henry Story
Post by Anders Rundgren
http://news.cnet.com/8301-1009_3-57450025-83/linkedin-posts-update-on-password-leaks
It is (to me at least) pretty obvious that NSTIC [1] won't get far unless the technology for authenticating on the Internet takes another major step forward!
I recently argued that one could use WebID for eCommerce in this presentation
given at the European Identity conference
http://bblfish.net/blog/2012/04/30/
I'm not sure exactly what use-cases NSTIC wants to address but eCommerce
seems to split into two lanes, pre-paid and invoiced. WebID doesn't
address pre-paid since this is not about identity but about payments.
An exception could be PayPal which is like a virtual bank account.

Does WebID address invoiced (B2B-like) eCommerce? Presumably it could.

My personal interest is moving the traditional on-line bank and on-line
payment scenarios into the 21st century. 3D Secure was a great idea
that didn't work well in practice because "banks do not do browsers".
Revamping Microsoft's Information Cards by blending them with a new
client-side PKI implementation, an enhanced 3D Secure could be as
convenient and secure as local payments using EMV-cards:
After selecting the proper card based on their card image, typing in
a short PIN-code is all that's needed to carry out the transaction.

The cards will though be in the phone because the PC has (since long)
run out of gas as a vehicle for innovation. Yes! We need yet another
protocol; the phone/PC slave mode. Previous experiments like emulating
a remote PKCS #11 interface in the phone were IMO conceptually wrong
because a phone is not a smart card; it is a stack of super-smart cards :-)

As I have said numerous times before, going for low-hanging fruit like
WebID is not a bad idea but WebID doesn't invalidate taking firm grip
on the entire infrastructure either...

Anders
Post by Henry Story
Post by Anders Rundgren
Related: Internet payments using credit-cards still rely on "User IDs" (Card Numbers) and "Passwords" (CCVs) printed in clear on the cards.
Since giant players like FB and LinkedIn as well as the international banking community apparently can't fix this, one wonders how a somewhat obscure government program like NSTIC intends dealing with
this gaping hole in the arsenal.
Anders
1] http://www.nist.gov/nstic
Social Web Architect
http://bblfish.net/
Henry Story
2012-06-10 18:16:30 UTC
Permalink
Post by Anders Rundgren
Post by Henry Story
Post by Anders Rundgren
http://news.cnet.com/8301-1009_3-57450025-83/linkedin-posts-update-on-password-leaks
It is (to me at least) pretty obvious that NSTIC [1] won't get far unless the technology for authenticating on the Internet takes another major step forward!
I recently argued that one could use WebID for eCommerce in this presentation
given at the European Identity conference
http://bblfish.net/blog/2012/04/30/
I'm not sure exactly what use-cases NSTIC wants to address but eCommerce
seems to split into two lanes, pre-paid and invoiced. WebID doesn't
address pre-paid since this is not about identity but about payments.
An exception could be PayPal which is like a virtual bank account.
Does WebID address invoiced (B2B-like) eCommerce? Presumably it could.
yes, and the presentation explains how one can also use linked data to create
trust in commercial web sites such as banks, shops (small and big),
universities, and other web sites in a distributed way. This is a key missing
piece in TLS and X509 certificates currently.
Post by Anders Rundgren
My personal interest is moving the traditional on-line bank and on-line
payment scenarios into the 21st century. 3D Secure was a great idea
that didn't work well in practice because "banks do not do browsers".
Revamping Microsoft's Information Cards by blending them with a new
client-side PKI implementation, an enhanced 3D Secure could be as
After selecting the proper card based on their card image, typing in
a short PIN-code is all that's needed to carry out the transaction.
The cards will though be in the phone because the PC has (since long)
run out of gas as a vehicle for innovation. Yes! We need yet another
protocol; the phone/PC slave mode. Previous experiments like emulating
a remote PKCS #11 interface in the phone were IMO conceptually wrong
because a phone is not a smart card; it is a stack of super-smart cards :-)
As I have said numerous times before, going for low-hanging fruit like
WebID is not a bad idea but WebID doesn't invalidate taking firm grip
on the entire infrastructure either...
yes, WebID is not exclusive for sure. I just hope that they take into
account the types of possibilities made available by linked data based
identity and tryst schemes.
Post by Anders Rundgren
Anders
Post by Henry Story
Post by Anders Rundgren
Related: Internet payments using credit-cards still rely on "User IDs" (Card Numbers) and "Passwords" (CCVs) printed in clear on the cards.
Since giant players like FB and LinkedIn as well as the international banking community apparently can't fix this, one wonders how a somewhat obscure government program like NSTIC intends dealing with
this gaping hole in the arsenal.
Anders
1] http://www.nist.gov/nstic
Social Web Architect
http://bblfish.net/
Social Web Architect
http://bblfish.net/
Anders Rundgren
2012-06-12 06:19:38 UTC
Permalink
The eternal smart card issue seems to be popping up again...
http://lists.w3.org/Archives/Public/public-webcrypto/2012Jun/0043.html

Practically all of the stuff I'm advocating has already (conceptually)
been done by other people, the #1 problem is that integration of all those
disparate components so far has been a "Business Model" which is also a reason
why it really only works satisfactory if you buy everything from a single source.

In particular smart cards have been plagued by this phenomena. Marrying
this technology (not necessarily the form factor...) to the web is IMO a
prerequisite for progress in the payment sector.

However, currently TCG, IETF, OASIS, W3C and GlobalPlatform in various ways
have explicitly or implicitly made this out of scope.

Personally, I'm convinced that EMV was the last (ever) major client-side
"payment gizmo" developed by the financial industry; the future in client-
side payment *technology* (not to be confused with payment *networks*),
belongs to the client-platform vendors and BYOD.

Regards,
Anders

Loading...