Policy, technology, and business cases remain hypothetical
Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary, MacGregor says.
“The chief negative of this approach is the complexity,” MacGregor says. “It needs interaction with a mobile device manager.”
Enhanced PIV and derived credentials are the focus of NIST’s current efforts to enable the PIV with smart phones, MacGregor explains. Derived credentials are also mentioned in NIST’s Special Publication 800-63-1 which focuses on electronic authentication.
The mention of derived credentials is in a generic form and not specific to PIV, says Hildegard Ferraiolo, a computer scientist at NIST. If derived credentials were to be included with PIV it would be included in the next draft of FIPS 201-2, which is expected sometime in the first half of 2012.
The notion of an enhanced PIV and derived credentials brings up some thorny policy issues, says Gemalto’s Pattinson. “NIST has a PKI policy that only allows digital credentials to be present on a smart card form factor,” he explains.
There is also an issue of dealing with the same credential in more than one place. “How do you end up with one card in your hand and another in the phone?” Pattinson questions. “You can’t have the same key in two places.”
This also doesn’t solve the problem of being able to decrypt email on mobile devices. “When a PKI credential is made on a PIV there are several keys and certificates associated with different functions, for example decryption, digital signature, key exchange, among others,” Pattinson says.
Decrypting an email is more complicated than it sounds. For a person to send an encrypted email there has to be an encryption public key certificate available to the sender to encrypt the email so only the recipient can read it, Pattinson explains.
The private key associated with this public key may be only known to the original PIV as it was generated on card at the time of issuance or activation. The private decryption key may never leave the card. In the case of a derived credential, if it does not have the original private key for decryption, there may not be an ability to decrypt the email.
However even this isn’t a hard and fast rule. Some agencies “escrow” the private decryption key initially generated off card or securely extracted off the card. This is done to allow for situations where cards are replaced or lost but the need to decrypt older email remains.
That’s just one example. Figuring out how to handle these policy issues is going to take some time, possibly one to two years, Pattinson predicts.
As the policy issues are being addressed, the technology continues to evolve. The lack of NFC handsets is one issue holding back mobile identity efforts, says Jon Callas, chief technology officer at Entrust. In the U.S. there are just a handful of NFC devices on the market, a couple of Blackberry and Samsung models but that’s it, he says.
Google with Android and Apple with iOS must progress to make identity better in mobile operating systems, Callas adds. He believes identity should be embedded into the device, and not the decision of third-party apps. Consumers should be able to control the identity as they wish, he explains.
“The operating system vendors will start to solve this problem by putting container support on the devices so that people can do identity on their own,” Callas adds.
Nobody buys a new handset based on identity, Callas explains. “Identity wasn’t on the list of reasons why I bought my phone,” he says. “You buy a mobile because you want that device.”
Though the mobile identity market has progress to make, both the technology and consumer adoption move quickly. Because handsets are relatively inexpensive they are replaced every one to three years, Callas explains.
While both the technology and policy need to advance before mobile identity is widespread this rapid pace of consumer adoption bodes well for the market. But officials must keep this pace in mind as they define policy. “Frankly, the technology is changing faster than we can keep up with,” says Zok.
The goal of mobile credentialing is to enable an individual to have the same level of interaction with a system on the handset as they would on a laptop or desktop, says Jerome Becquart, vice president and general manager of identity assurance at HID Global.
HID acquired ActiveIdentity and its smart card middleware. The company is porting that software to the mobile device for access to secure email and virtual private networks, Becquart says. To date, however, the company hasn’t seen much call for the technology because the U.S. government’s policy requires the use of a smart card and PIN.
HID partnered with Good Technology to deliver new government-strength, two-factor mobile authentication and credentialing solutions for the iOS and Android platforms. The new solutions will couple the security capabilities of Good for Enterprise and Good for Government with the authentication technology of the ActivIdentity ActivClient Mobile middleware to make it easier for federal employees and the companies that support them to gain access to pertinent applications using their mobile device while maintaining necessary security levels set forth by their Information Assurance personnel.