Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC
Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC
- Subject: Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC
- From: "Miller, Timothy J." <email@hidden>
- Date: Wed, 16 Apr 2014 19:33:16 +0000
- Thread-topic: [Fed-Talk] DISA to test mobile ID, replacement for CAC
Good to know. Recover-to-software vs. recover-to-card is an option to the issuer/agency under the PIV spec, so this could be either an issuer-imposed limit or an agency negotiated feature.
The perceived security is higher and portability is higher for recover-to-card but utility is lower because the card has limited space and it rules out uses such as this. Personally I have as of this writing 10 keys in escrow, any one of which I could need at some point, so you can see how recover-to-card can get cumbersome.
I wouldn't expect derived credentials to include encryption keys in any event, since if you do that you won't be able to read your own email without recovering the derived key to the card. Since any person could have multiple sets of derived credentials at any given time, this makes the recover-to-card problem worse. It's simpler in the long run to provision the current escrowed encryption key to the device during derived credential enrollment, so that's what I would expect from the PIV SSPs as well.
-- T
>-----Original Message-----
>From: Neely, Lee [mailto:email@hidden]
>Sent: Wednesday, April 16, 2014 2:17 PM
>To: Miller, Timothy J.; 'Blumenthal, Uri - 0558 - MITLL'; Fed Talk
>Subject: RE: [Fed-Talk] DISA to test mobile ID, replacement for CAC
>
>Agree on escrow, and reasons behind. Our problem is they are not
>exportable, so we cannot export the private key onto our mobile devices.
>That decision goes back to GSA/Entrust/US Access. We are currently
>restricted to issuing PIV certificates (As in key recovery) to Smartcard devices.
>My understanding is CAC is not so restricted.
>
>Lee
>
>
>-----Original Message-----
>From: Miller, Timothy J. [mailto:email@hidden]
>Sent: Wednesday, April 16, 2014 12:02 PM
>To: Neely, Lee; 'Blumenthal, Uri - 0558 - MITLL'; Fed Talk
>Subject: RE: [Fed-Talk] DISA to test mobile ID, replacement for CAC
>
>>Interestingly, the PKI community I work with would love to have some
>>form of derived credential to allow Encryption certificates that are
>>stored in a PIV (or
>>CAC) card to be used on a smartphone without a PIV/CAC reader.
>
>You don't need (or want) a derived credential for this use case. Your PIV
>issuer should be escrowing encryption certificates already, and should be
>allowing users to recover their own. This is required to support access to
>encrypted data after PIV re-issuance and is duplication of that key to a mobile
>device for encrypted email access should be allowed for the same reason
>(e.g., this is an allowed use in the DoD, as long as the mobile device is DoD-
>owned).
>
>-- T
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
References: | |
| >[Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Dan O'Donnell" <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Martin, Robert A." <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Neely, Lee" <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] DISA to test mobile ID, replacement for CAC (From: "Neely, Lee" <email@hidden>) |