[CAP] Decrease milling when increase trust RE: Vol7 #2

Sun Jan 8 15:04:42 PST 2006

Mick,

There are 3-4 implementation patterns in use out there now.    And have
some applicability to the emergency services business.

1.  The DoD approach is to re-issue everybody a new ID card (known as a
CAC, for command access card).  The smartcard, once the issuers get it
right (no, ours didn't the first time), contains both private and public
keys with a passphrase to control access.  There's a common database
(think LDAP) within DoD so you can look up a public key much like
looking up a phone number.  (indeed, it's informally called the white
pages).

	I think this model would make sense for government employees like fire
and police department personnel.  But it's not appropriate for the great
unwashed masses that we tend to call NGOs.

2.  Open source software distribution is commonly protected by digital
signatures today.  RedHat, for instance, has a readily-available public
key.  Downloads are digitally signed, including the nightly updates.
And operating system distributions have root public keys included in the
distribution (Microsoft has a lot of these pre-installed in current
flavors of Windows).  If you believe uSoft's distribution, then you can
believe the root keys.  

	This model is probably the closest to what you want for general public
warning (which is where this thread started).  The agencies issuing
warnings get their X.509 credentials and then make the public keys
readily available in the application software that would use the
warnings they'd put out.  

3.  The PGP (now GnuPG) model is a no-budget one.  The mechanism for
exchanging public keys with people you know and then letting the 'web of
trust' grow like so much mold is there.  But there's no central
database.

	For those ad hoc disaster responses where you need to exchange a
handshake with whoever shows up (the j-random NGOs) and then do business
with them fits this model.  There is, of course, no reason you can't
exchange credentials, but you need to accompany them with some caveat
emptors.

4.  IEEE 802.16 (industry association is WiMAX) includes a PKI mechanism
for access control to the network.  (We haven't found a real live
implementation yet to test in the lab, but I've read the standard and
have a student's thesis on the shelf on the subject.)  In this case,
manufacturers embed the X.509 credentials in the interface hardware,
just the way your MAC address is embedded in your ethernet interface.
When a new subscriber enters an 802.16 network, part of the entry
protocol is to exchange these X.509 credentials with the base station.
That allows some of the MAC layer messages to be protected -- designed
to prevent theft and denial of service attacks.  

	This approach makes sense if you can have a centralized (or at least
controlled) distribution of the software used in a disaster relief
operation -- you can embed the X.509 credentials on a 'live CD'.  The
diff is that here they're used at layer 7 where in the .16 example
above, they're being used at layer 2.  

Any help?

On Fri, 2006-01-06 at 14:37 -0500, Mick Jagger wrote:
> > is the appropriate way to digitally sign these messages.  External to
> > the standard, we need to have a public key infrastructure that supports
> > verification of the public keys.
> 
> I'd certainly like to see some discussion on developing this public-key system.  The XML signing/security method is pretty much left up to the implementer at this point.  But in advance of any future standard, there could be some informal best practices and system design done.  Is anyone using a PKI system for CAP right now?  I've been experimenting with an x509 system for a single point source with a specific transport type (one server to many clients over HTTP).  But interoperability and multiple transport methods is a problem.