William Ahern wrote:
> Tor Rustad <bwzcab@wvtqvm.vw> wrote:
> <snip>
>> The hard part, is really establishing the HW infrastructure, not the SW
>> side of things! My latest laptop came with a chip card reader, you can
>> also attach such reader device via USB.
>
>> So the technology is here, and it's being rolled out as we speak.
>
> I disagree. The hard part is the software side. I bought a pack of 10 secure
> Schlumberger cryptocards over 8 years ago, and the _software_ support is
> still abysmal (and still largely in the same shape then as now). The USB
> controller was even built into the chip, and a plastic keyfob was all but
> free (you could pop the chip from the credit-card sized packaging and insert
> it into the keyfob). Very nice hardware; very inexpensive. Projects like
> OpenSC, etc, just don't get any attention, however.
>
> The standards are there, too. PKCS-11. X.509. Client-side signed
> certificates. Heck, even the OpenSSH folks aren't particularly interested in
> integrating PKCS support.
>
> Nope. The lack of use, I'd argue, is entirely a function of poor and
> confusing software support, and simple ambivalence and laziness.

Without HW, SW is useless.

There is a major difference between having a developer kit, and get to a
point where all PC's ship with a good smartcard reader. 8 years ago, the
banks lacked secure production line for smartcards, and the financial
networks lacked smartcard accepting readers. That has changed, and today
your mobile may even be sporting a 32K PKI enabled smartcard. In a few
years now, we will all have strong authentication enabled cards/SIM,
capable of running multiple applications. Beside Telecom and Banks, the
public sector will use more and more secure ID cards.

This has taken a long time, the Europay MasterCard VISA (EMV) specs came
in 1996, if it was just a matter of developing some SW, the transition
would have been completed years ago. Upgrading HW world-wide is a
different ballgame, and I bet there is still quite a few devices out
there, not yet accepting my VISA on chip.

It must be 10 years ago I read an article in a smartcard magazine called
"PKI nothing more than pilots". At that time, I had worked with PKI for
years, by establishing secure infrastructure for transactions over open
networks via SET.

We had *everything* ready for roll-out, merchant SW, client SW, payment
gateway, client certificate enrollment... the full package and almost
nothing happened.

Why?

First of all, as a security infrastructure, it had a major flaw, namely
on the client side all keys and crypto was done in SW, and equally
important, it required installing special fat client on all user PC's. A
support nightmare, so the banks skipped the client/wallet first, as the
client added little to no security, without a HW token anyway.

Hence, prior to year 2000 several vendors had implemented the complex
SET protocol, sporting several PKCS standards, the whole spec was in
ASN.1, where every message was DER encoded. There was also an open
source reference implementation in C, from VISA.

To make a long story short, we ended up using the complex SET protocol
over a 2m cable in our own computing base, and it was SOON replaced by a
lightweight security toolkit I wrote, which enabled merchants on
internet to communicate with the financial network in a far more
efficient way.

SET wasn't even a pilot, and the concept of non-repudiation was a joke.

--
Tor <echo bwzcab@wvtqvm.vw | tr i-za-h a-z>