How much for a DoD X.509 certificate?

Anne & Lynn Wheeler lynn at garlic.com
Thu Aug 11 14:55:48 EDT 2005


Peter Gutmann wrote:
> $25 and a bit of marijuana, apparently.  See:
> 
>   http://www.wjla.com/news/stories/0305/210558.html
>   http://www.wjla.com/news/stories/0105/200474.html
> 
> Although the story doesn't mention this, the "ID" in question was the DoD
> Common Access Card, a smart card containing a DoD-issued certificate.  To get
> a CAC, you normally have to provide two forms of verification... in this case
> I guess the two were photo ID of dead presidents and empirical proof that you
> know how to buy weed.
> 
> The cards were issued by Yusuf Khalil Jackson, a man with a long criminal
> history (including, ironically, identity fraud):

one might claim that part of this is the lingering affinity to offline
credentials ... when most really secure operations have gone to online
and realtime operations ... leaving any physical object primarily a
feature of "something you have" authentication that might be used in
conjunction with other authentication factors.

the issue of many offline credentials are that they are left over from a
bygone era that is rapidly disappearing, but some of the legacy mindsets
still linger on.

the issue was raised in the mid-90s in financial infrastructures ...
that such offline credentials ... even tho superfluous and redundant (in
a modern online world) wouldn't actually be hurting anything (other than
possibly the out-of-pocket expense to support such operations).

the danger did show up when operations were tempted to use the redundant
and superfluous credential in lieu of doing an actual online operation.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list