Re: Non-Mathmatical Forging of PKI Digital Certificates /Throwing Rocks at the PKI

[Alvin Foo <alvin.f () PACIFIC NET SG>]

Yes, I would agree that PKI is not the solution to all security problems.
What is needed is to extend that "trust" being build into a PKI
infrastructure and deploy out to the end users, or citizens in your case.

What I am saying is that a PKI without any application is a white elephant.
Applications need a trust model that can be extended to the end users at the
point of purchase/confirmation or whatever that is needed to close the deal.

To achieve this the end users need some token that is able to extend the
"trust" of the PKI, the token would have to be able to of course withstand
attackers covert or otherwise to maintain that trust.  This token is usually
a smart chip, need not necessary be of a smart card nature, there are smart
chips attached to USB connectors as such.  Other tokens like secure ID is
fine but bulky and there is the problem of time synchronisation.

Of course to issue out the tokens is no small challenge but can be easily
taken by a country such as Brazil, through an existing Identity Card
infrastructure or driving license etc.  But before these two can be address
one matter that also requires close attention to is the readers of the
tokens.  There are few if not no countries that have a wide deployment of
token readers that would enable a enable a successful lunch of applications.

There are other matters of consideration but I guess this would not be a
forum for it.

You have a interesting and challenging task ahead of you, good luck and
success to your project.

cheers
Alvin

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
Dener Martins
Sent: 23 August 2000 20:56
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Non-Mathmatical Forging of PKI Digital Certificates
/Throwing Rocks at the PKI


oops, sorry. I missed the first messages of this thread.

Nevertheless, there is something that I should have said before. Other
private CAs are beginning to operate in Brazil. Since the government is
still a good client, and a big market itself, those CAs will follow the
same procedures established by the federal government, in order to be
certified by public authorities as being "trustworthy".

This whole story has also a bigger goal, Mercosul. Mercosul is the open
trade agreement between Brazil, Agentina, Uruguai, among other contries.
These first laws about certificates are being developed to create
conditions for E-commerce in South America, ie, trading between private
companies (B2B). As Bruce Schneier said before, PKI isn't solution for
all security problems. Probably, other mechanisms will have to be
created, so national and international B2B can happen in a safer way.

Regards,
D.
--
---------------------
Dener Martins
<dener.martins () serpro gov br>
F: (61) 411-8262