[9790] in cryptography@c2.net mail archive
More on Drivers' Licenses
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Fri Nov 9 16:17:58 2001
Mime-Version: 1.0
Message-Id: <v04210103b80ef4b485f7@[192.168.0.3]>
Date: Wed, 7 Nov 2001 10:06:42 -0500
To: cryptography@wasabisystems.com, dcsb@ai.mit.edu
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
Noah Silva recently brought this interesting 1994 article on DMV data=20
exchange by Simson Garfinkel to the attention of the=20
dvd-discuss@eon.law.harvard.edu list:
>http://www.wired.com/wired/archive/2.02/dmv_pr.html
The article discusses the AAMVAnet system and the extent to which=20
the threat of revocation of driver's license is already being used as=20
a tool for social control. It's also clear that the state DMVs are=20
in a unique position to provide identity information for a future PKI.
I did some poking around on Google to see what has been happening in=20
this area since then. I found the American Association of Motor=20
Vehicle Administrators web site which announces:
"On October 24, 2001, AAMVA's Executive Committee passed a resolution=20
creating a Special Task Force on Identification Security to develop=20
a strategy on enhancing the issuance of secure identification=20
credentials for driver licensing and photo ID purposes, and to=20
develop short- and long-term priorities and actions."
http://www.aamva.com/drivers/drvIDSecurityindex.asp
They already have a standard for Driver IDs that is available on-line
http://www.aamva.com/standards/stdAAMVADLIdStandard2000.asp
http://www.aamva.com/Documents/stdAAMVADLIDStandrd000630.pdf (full text)
It is a very through and detailed document that builds on a raft of=20
existing international standards (smart cards, bar codes, JPEG, etc.)=20
and US DMV and LE practices (data dictionaries, encodings,=20
fingerprint and signature storage, etc.). It does not prescribe any=20
card technology, but sets standards to be used if a technology is=20
selected.
What is strikingly to me about the document is the complete lack of=20
cryptographic standards. The document specifically discourages=20
encryption of machine readable data unless required by law. In a very=20
interesting Appendix H on physical security measures, digital=20
signatures are mentioned only in passing under Machine Readable Data:
"Common techniques to ensure data integrity include:
=AD Check digits and data encryption (presumably with public key encrypti=
on)
=AD For IC cards, tamper detection and chip disabling; and digital=20
signatures for all data written to the chip."
That's it! There is a set of proposed revisions to the standard, but=20
they are only accessible to AAMVA=A0 members. I don't know if the=20
revisions address crypto issues, but from the quote above, I=20
suspect they have a long way to go.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
