Smartcard Token

God this week at work is slow, nothing much is going on. I’ve been chasing timelines for the delivery of requirements for a PKI deployments. There is a lot of interest in the service but nobody is prepared to actually define what they need and when they need it by. I think I should change my job title from Enterprise Architect to cat herder. The technology is simple to deploy but it’s the trust model that’s proving the most tricky. The bottom line is that nobody appears to trust anybody else to attest to the identity of an individual. I’m in my fifth year with this job and this is the third PKI project I’ve tried to get off the ground, every year people say to me “this is the year of PKI”. There is an interesting debate around if a digital certificate by itself can be considered strong authentication. The age old mantra two factor strong authentication (something I have, something I know and something I am) does not sit easily with Certificates. If the certificate is stored on my none encrypted file system and the only mechanism to protect is a passwords then can it be truly seen as something I have? The issue arises about can the certificate be irrevocably tied to a single identity. In the case of a password protected certificate the attestation of identity cannot be assured. This situation can be improved by making those certificates portable through something like a smartcard or embedded onto the physical device using technology like the trusted platform module. In both cases the certificate is tamper proof and I have to marry my username/password with a physical device (PC or Smartcard) to prove identity. With TPM or Smartcard we are moving towards meeting the requirements of strong authentication. I’ve been in favor of a physical biometric (tamper proof identity card) for building access that also delivers access to the corporate desktop acting as secure storage for signing and encryption keys. This works very well for corporate devices that support smartcard but what happens when I need to access corporate data from a third party device. This brings us back to some sort of token based authenticator. I can get a token that acts as secure storage which also provides the flexibility for certificate storage but the form factor sucks as a physical biometric. Perhaps the answer for the next few years is a move towards smartcards for corporate access and an additional token for the mobile executive.