[LINK] Dumb Americans slow to catch on
Roger Clarke
Roger.Clarke at xamax.com.au
Thu Feb 25 11:14:25 AEDT 2010
G'day Glen
At 10:19 AM +1030 25/2/10, Glen Turner wrote:
>Your subject is a tad unfair. ...
The 'dumb' bit refers to:
- the presumption that one-size-fits-all in identity authentication
- the inclusion of biometrics as a norm, when the vast majority
of applications don't need it. That habituates people into
gifting nice copies of their biometric to anyone who puts a
reader in front of them
- the flooding of the market with cards
- the lack of a budget, a plan, or even a vague strategy
(also picked on by Bernard)
- the ignorance of most applications of the card, with the result
that the potential benefits aren't realised, and the vulnerabilities
aren't appreciated, and are wide open and unaddressed
I've done a lot of consultancy work on identity authentication over
the years, with and without cards as part of the process, and I
support sensible uses of smart cards:
http://www.rogerclarke.com/EC/ChipIntro.html (1993)
http://www.rogerclarke.com/DV/SCTISK.html (1998)
http://www.rogerclarke.com/DV/BioArch.html (2003)
But see also:
http://www.rogerclarke.com/DV/IDCards97.html (1997)
And Shibboleth has great attraction, because it at least creates the
possibility of privacy-sensitive applications - although whether it's
actually used that way I'm less confident.
As a floater across ANU and UNSW, it's disappointing that I've yet to
be able to even try out EduRoam: http://www.eduroam.edu.au/. It's
case study and other aspects of the home-page also leave something to
be desired. And is the repeated use of pseudo-Latin a breach of
copyright? (:-)}.
Regards ... Roger
At 10:19 AM +1030 25/2/10, Glen Turner wrote:
>Your subject is a tad unfair. The rollout of the Common Access
>Card[1] through the US DoD has been impressive, and has greatly
>improved the security of US DoD websites by moving them away
>from password-based authentication.
>
>The major issue is the federation of disparate authenticaton and
>authorisation schemes within the US Government.
>
>The university sector has a similar issue, with Shibboleth[2] and
>SAML being the technologies of choice for allowing people affiliated
>with one university to use the resources of another university.
>The sector also has a successful point solution for wireless
>called Eduroam[3] (with less features than Shib but built on more
>readily available technology).
>
>The USG is ahead in issuing a common card, whereas the university
>sector pretty much relies on passwords. The university sector
>is ahead in deployment of federated authentication and authorisation.
>
>I can't really see a common university+VET card just yet, although
>there's no doubt that a common proximity+smart card would be a
>wonderful thing.
>
>Cheers, Glen
>
>[1] US DoD Common Access Card <http://www.cac.mil>
>[2] Shibboleth federated authentication <http://www.aaf.edu.au/>
>[3] Eduroam wireless roaming <http://www.eduroam.edu.au/>
>
>--
> Glen Turner <http://www.gdt.id.au/~gdt/>
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list