[LINK] Dumb Americans slow to catch on

Roger Clarke Roger.Clarke at xamax.com.au
Thu Feb 25 11:14:25 AEDT 2010


G'day Glen

At 10:19 AM +1030 25/2/10, Glen Turner wrote:
>Your subject is a tad unfair. ...

The 'dumb' bit refers to:

-   the presumption that one-size-fits-all in identity authentication

-   the inclusion of biometrics as a norm, when the vast majority
     of applications don't need it.  That habituates people into
     gifting nice copies of their biometric to anyone who puts a
     reader in front of them

-   the flooding of the market with cards

-   the lack of a budget, a plan, or even a vague strategy
     (also picked on by Bernard)

-   the ignorance of most applications of the card, with the result
     that the potential benefits aren't realised, and the vulnerabilities
     aren't appreciated, and are wide open and unaddressed

I've done a lot of consultancy work on identity authentication over 
the years, with and without cards as part of the process, and I 
support sensible uses of smart cards:
http://www.rogerclarke.com/EC/ChipIntro.html (1993)
http://www.rogerclarke.com/DV/SCTISK.html    (1998)
http://www.rogerclarke.com/DV/BioArch.html   (2003)

But see also:
http://www.rogerclarke.com/DV/IDCards97.html (1997)

And Shibboleth has great attraction, because it at least creates the 
possibility of privacy-sensitive applications - although whether it's 
actually used that way I'm less confident.

As a floater across ANU and UNSW, it's disappointing that I've yet to 
be able to even try out EduRoam: http://www.eduroam.edu.au/.  It's 
case study and other aspects of the home-page also leave something to 
be desired.  And is the repeated use of pseudo-Latin a breach of 
copyright?  (:-)}.

Regards  ...  Roger


At 10:19 AM +1030 25/2/10, Glen Turner wrote:
>Your subject is a tad unfair. The rollout of the Common Access
>Card[1] through the US DoD has been impressive, and has greatly
>improved the security of US DoD websites by moving them away
>from password-based authentication.
>
>The major issue is the federation of disparate authenticaton and
>authorisation schemes within the US Government.
>
>The university sector has a similar issue, with Shibboleth[2] and
>SAML being the technologies of choice for allowing people affiliated
>with one university to use the resources of another university.
>The sector also has a successful point solution for wireless
>called Eduroam[3] (with less features than Shib but built on more
>readily available technology).
>
>The USG is ahead in issuing a common card, whereas the university
>sector pretty much relies on passwords.  The university sector
>is ahead in deployment of federated authentication and authorisation.
>
>I can't really see a common university+VET card just yet, although
>there's no doubt that a common proximity+smart card would be a
>wonderful thing.
>
>Cheers, Glen
>
>[1] US DoD Common Access Card <http://www.cac.mil>
>[2] Shibboleth federated authentication <http://www.aaf.edu.au/>
>[3] Eduroam wireless roaming <http://www.eduroam.edu.au/>
>
>--
>  Glen Turner   <http://www.gdt.id.au/~gdt/>

-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list