PKI Infrastructure or LDS Account?

Use this forum to discuss issues that are not found in any of the other clerk and stake technology specialist forums.
Post Reply
User avatar
njalsson
New Member
Posts: 6
Joined: Wed Jun 23, 2010 5:52 pm
Location: Manitoba, Canada
Contact:

PKI Infrastructure or LDS Account?

#1

Post by njalsson »

Firstly, pardon me in advance and please re-direct me if there is a post addressing this very subject somewhere here on the forum site!

I´m certain that PKI was discussed already during the 1990´s within the LDS Church as an authentication and security technology. In part, as has been the case in many governments and organizations, the LDS Church as moved toward the "centrally-stored credential" model in the form of LDS Account. This is in keeping with Church technology and information storage policy in general, and thus understandable.

However, my question is: What about a decentralized digital certificate solution where identity authentication takes place locally through government issued ID documents verified by local personnel in addition to Church records? In addition to authentication, which LDS Account provides a solution for, the card-based external digital certificate could allow verified users to have a qualified certificate and to sign documents as needed and provide evidence of affiliation to other members who do not have access to checking membership status or records. The e-certificate could be cancelled just as quickly as an LDS Account through the usual PKI procedures for revocation.

This is without prejudice to the aspect of "roles" and access privileges which of course LDS Account shall handle by definition.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#2

Post by russellhltn »

njalsson-USCJobserver wrote:provide evidence of affiliation to other members who do not have access to checking membership status or records.
I don't fully understand what you are asking, but I do understand the above. I'm not sure as the church has any need or interest in providing that functionality. While you and I might want to be able to verify each other as members of the church, I'm having difficulty in seeing how that would benefit the church or church members in carrying out their callings.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
njalsson
New Member
Posts: 6
Joined: Wed Jun 23, 2010 5:52 pm
Location: Manitoba, Canada
Contact:

Digital Signature Funcationality Would be One Added Benefit

#3

Post by njalsson »

Indeed, at least one added benefit would be the possibility of a digital signature which is a legally recognized method of signing documents and making them legally binding.

In particular, the question has to do with "centralized vs. decentralized" PKI or certificate arrangements. Why is for instance LDS Account better than a card-based or memory device-stored digital certificate held by the member or officer? In fact, I had hardly skimmed through the forums before encountering a security-vulnerability-related posting regarding LDS Account, a vulnerability which is very well-known for centrally stored credentials. Security is definitely a relevant issue. In addition to remembering a password ("What you Know"), with a decentralized PKI credential such as a digital certificate stored on a separate device which you can take with you, even a malicious or poorly designed service or site that the user has given credentials to cannot use them, since it does not have the device ("What you Have"). That is one of the major points I am getting at here with my original question.
RussellHltn wrote:I don't fully understand what you are asking, but I do understand the above. I'm not sure as the church has any need or interest in providing that functionality. While you and I might want to be able to verify each other as members of the church, I'm having difficulty in seeing how that would benefit the church or church members in carrying out their callings.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#4

Post by russellhltn »

njalsson-USCJobserver wrote:Indeed, at least one added benefit would be the possibility of a digital signature which is a legally recognized method of signing documents and making them legally binding.
Call me dense, but I'm having a problem coming up with places where that's needed in the church. I can think of a few places it could be used, but they don't require that level of security.
njalsson-USCJobserver wrote:Why is for instance LDS Account better than a card-based or memory device-stored digital certificate held by the member or officer?
From what I've seen the number of members who bother to get a LDS Account is rather small. To have to get a card or tie it into an existing card would be additional work and likely result in an even smaller number of members getting one.

Good engineering is the art of compromise. I suspect that LDS Account offers adequate security for most needs and is as easy to get as we can make it and still offer the needed level of security.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
nbflint
Member
Posts: 204
Joined: Mon Mar 12, 2007 9:07 pm

#5

Post by nbflint »

Many members already have difficulty with a single stage authentication. Introducing another, while more secure, has the potential to discourage use of the systems being protected. In the Government sector and Corporate environments the entity implemented 2 stage authentication has quite a bit of leverage to enforce its use. If I don't sign on to the corporate network to work I don't get my paycheck.

The church has no such leverage nor should it. As such, implementing a 2 stage implementation would, in my opinion, be harmful to church's technology goals as related to church membership and publicly accessible systems as a whole.

User avatar
njalsson
New Member
Posts: 6
Joined: Wed Jun 23, 2010 5:52 pm
Location: Manitoba, Canada
Contact:

Security vs. User-friendly

#6

Post by njalsson »

If I understand both of you, the issue is of trade-off between security and user-friendliness. This is also a known issue. In fact, it has been one of the major stumbling blocks for programmes such as the "Henkilön sähköinen tunnistus (HST)" or EID card project in Finland, during the period 1998-2008. While these national electronic ID cards (I actually have one) are police-issued and very secure and include the use of digital signing, no proper studies were done to see how many would use them (we are actually only about 180 000 subscribers). Regular users preferred logging onto government and private services with their Internet Bank ID's and lists of one-time codes.

But there is another side to the story. Exactly the same security vulnerability that has been discussed here regarding a site that gathers LDS Account credentials and re-uses (abuses?) them has been the source of problems in countries such as Norway where so-called Bank ID (banklagret ID) or centrally-stored credential have been preferred over device-based certificates. And now there is a storm of sites and services which are opting out or altogether refusing to use this type of credential and are moving over to the device-stored certificate implemented by a company called "Buypass" in Norway. However, Canada has adopted without issue (at least to my professional knowledge) Entrust´s "True Pass" technology which again is a centrally stored credential which they call "E-pass".

Sorry to make things more complex with these details. I´m just trying to bring up known issues and questions in order to better understand for instance why the Church has chosen one or the other and perhaps what we should think about when possibly adopting similar technologies within the Jewish community and organizations.
nimebe wrote:Many members already have difficulty with a single stage authentication. Introducing another, while more secure, has the potential to discourage use of the systems being protected. In the Government sector and Corporate environments the entity implemented 2 stage authentication has quite a bit of leverage to enforce its use. If I don't sign on to the corporate network to work I don't get my paycheck.

The church has no such leverage nor should it. As such, implementing a 2 stage implementation would, in my opinion, be harmful to church's technology goals as related to church membership and publicly accessible systems as a whole.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#7

Post by russellhltn »

It has been observed a few times that the church follows the technology and perhaps customizes it, but rarely leads or develops it. (There are a few exceptions, such as in the area of Family History)

I'm not sure what it's like up there in Canada, but in the US I've only been issued two smart cards in my entire life. Once, I had a military CAC card for some contract work I was doing. It was only used as a ID card and the smart features were never used. The second was the original American Express Blue card. It came with a card reader that I could attach to my computer. I never did use that feature. I accessed my on-line banking the traditional login/password method. The replacement card has some kind of wireless chip embedded, but I'm not sure as it's capable of of anything more then just IDing itself.

While the church does have need of security, it's no where near the security needs of on-line banking. And I've seen no sign of the technology you speak of appearing in those areas. Until this technology becomes common, I would not expect to see it in the church.

If we were to dig deeper, we might find areas of the church that have need of higher security, and I'm sure we'd find appropriate measures being taking in those cases.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
njalsson
New Member
Posts: 6
Joined: Wed Jun 23, 2010 5:52 pm
Location: Manitoba, Canada
Contact:

#8

Post by njalsson »

RussellHltn wrote:It was only used as a ID card and the smart features were never used. The second was the original American Express Blue card. It came with a card reader that I could attach to my computer. I never did use that feature. I accessed my on-line banking the traditional login/password method.
Yeah, I see the pattern. This is what a lot of users are doing. Once you need a card reader or there are even minor compatability issues (ex. browser Explorer, Firefox, Opera,etc.), then we witness a huge dropoff in uptake or use. People are still sending unencrypted e-mails with sensative business or personal info even today, despite all knowledge of risks. Encryption and signing require a little more effort and technology and most seem to feel uncomfortable with that.

The situation in Canada, as per your question, is pretty much the same as in the US. However, in the Nordic countries where I have also lived and worked and in the EU the banking is more technologically advanced than in North America and EID or Electronic ID SmartCards are widespread and pretty much the norm in most of the EU countries. They are government-sponsored. In the US and Canada if indeed anyone has used a smartcard it is most always a private-sector application.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#9

Post by russellhltn »

njalsson-USCJobserver wrote:In the US and Canada if indeed anyone has used a smartcard it is most always a private-sector application.
I wonder how many are driven by self-initiative and how many are driven by regulatory or contractual requirements?
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “General Clerk Discussions”