[1252] in cryptography@c2.net mail archive
Re: Fortezza dying on the vine?
daemon@ATHENA.MIT.EDU (Rick Smith)
Fri Jul 25 19:58:31 1997
In-Reply-To: <199707252100.VAA11909@orchard.east-arlington.ma.us>
Date: Fri, 25 Jul 1997 17:59:13 -0600
To: Bill Sommerfeld <sommerfeld@orchard.east-arlington.ma.us>,
Rick Smith <smith@securecomputing.com>
From: Rick Smith <smith@securecomputing.com>
Cc: Vin McLellan <vin@shore.net>, cryptography@c2.net
At 5:00 PM -0400 7/25/97, Bill Sommerfeld wrote:
>One thing I wonder is whether the higher than anticipated
>administrative costs of Fortezza will also apply to smartcard-type
>systems. I'm presuming the expensive part is not the symmetric crypto
>engine part but rather the PKI/digital signature side of Fortezza.
>
>Is it just USG mucking up, or is this going to be a general problem
>with all hardware-widget based systems?
There are lots of hardware based authentication systems out there right now
-- Safeword, SecurID, Digital Pathways, etc. Although the actual behavior
is different than crypto cards (they just generate pass codes), they are
also subject to administrative tinkering like rekeying. Companies that use
them don't seem to find them too expensive to administer.
Other differences that might make a difference:
1) Secret key vs public key. Perhaps this is a wash, since tinkering with
private keys likewise requires secrecy.
2) Elaborate PKI vs enterprise or site based management. This might be a
big one -- it costs less if you don't have to synch up with some higher
level organization in order to validate your keys. The costs of a higher
level PKI doesn't have to be amortized among its users -- the company
doesn't have to pay for a partial share in someone's Safekeyper purchase or
the armed guards at the bunker's front door.
Another big piece of the Fortezza story is that they sold a demo system,
not one that was ready for use. They tried to push cards out to customers
before they had solid, reliable equipment for certification. They still
don't. Another turnoff has been NSA's policy of subjecting the cards to an
incompatible upgrade about once a year. The cards, CA stations, and all
applications are usually affected. This is not productive.
Rick.
smith@securecomputing.com Secure Computing Corporation
"Internet Cryptography" in bookstores soon http://www.visi.com/crypto/
