Monday, February 21, 2005

fyi RSA looks ahead on RFID security


Pointer to article:

Kobielus kommentary:
This raises a nightmare scenario in the “identity of things”: a scenario in which every personal “thing” we own or hold becomes a tattletale: a silent RFID beacon of who we are, who they are, and where we/they are.

How to keep this scenario from becoming a reality? Most important, it will have to involve the relying party presenting credentials before the RFID of a personal “thing” can be released. One approach is to require readers to transmit their identity, permissions, and other credentials to the holder of the RFID-tagged thing. The RFID thingholder—a human being or intelligent software agent—will then have the option of granting or not granting the request for RFID, once it has validated the credentials. The thing itself might display the results of that credentials check, or the results might be transmitted via an SMS to the thingholder’s cellphone display. Authorizing release of RFID might then involve pressing some key on the thing, or responding to the SMS, or some other dynamic handshake interaction.

Obviously, such a scenario demands several critical chunks of infrastructure. First of all, it would require that RFID “personal things” (we’re talking your personal possessions, not the RFID-bearing things in a manufacturing supply chain) come equipped with receivers as well as transmitters. Second, it would require a federated IdM infrastructure for registering, issuing, managing, and validating credentials for RFID readers—one that has the capacity to handle the huge and ever-growing transaction volumes. Third, it would require that all RFID-bearing things be engineered to participate in this federated RFIDm environment. Fourth, it would require serious rethinking of user interfaces associated with RFID-bearing things, so as to make it as easy as possible for ordinary people to set up the appropriate rules governing controlled, secure release of their personal, privacy-sensitive RFIDs.

If this sounds like a big kettle of public policy, technical, and usability issues, you’re quite right. We’ve barely begun to think through the many issues that will surface as RFIDs—and RFIDm as a discipline—begin to pervade our lives.