The following text is copyright 2005 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Maybe it is mulish stupidity after all
By Scott Bradner
Three weeks ago I wrote about the US Government's efforts to keep the pending electronic passport from being too secure. I still do not know for sure why they tried so hard to do this but it is beginning to look like we should apply the old adage 'never ascribe to malice what can be adequately explained by stupidity'.
Deputy Assistant Secretary of State Frank Moss spoke on a panel on electronic passports at the Computers, Freedom, and Privacy conference (http://www.cfp2005.org/) in mid April. The other panelists were well known security guru Bruce Schneier and Barry Steinhardt the director of the ACLU's Freedom and Technology Program. You have to give Frank Moss credit for being willing to come to what was obviously going to be a den of doubters.
The session was well reported by PC World (http://blogs.pcworld.com/staffblog/archives/000616.html) which has also provided audio recordings of the talks. Bruce Schneier spoke first and focused on putting the issues in context. (http://blogs.pcworld.com/staffblog/archives/media/audio/cfp05_passport_panel_bruce_schneier.zip) Next came Frank Moss. (http://blogs.pcworld.com/staffblog/archives/media/audio/cfp05_passport_panel_frank_moss.zip) He said that the government had received over 2,400 comments on the electronic passport proposal. He did not say but it's my guess that most of the comments did not much like the proposal. He said that the passports, which are scheduled to be given to US diplomats this August, would not be implemented unless the government was not sure that they would be safe. (The government doing a test drive of its own targets.) He said that the government was looking at a number of options including building a Faraday cage into the passport to block scanning but then he reiterated that the passports could only be read by a scanner from a distance of 10 cm. He went on to say: "The idea that you can walk down a hallway in hotel and pick out the Americans, is quite honestly, poppycock, the same thing goes for the bar in Beirut. These things can only be read at very short distances." I expect he is right about the hotel hallway but expect he is not correct about the Beirut bar, something that he was about to find out.
Third up was Barry Steinhardt who proceeded to give a live demonstration of scanning a passport, which had been outfitted with a RFID chip of the type specified in the standard, at a distance of three feet. Mr. Moss seems to have finally paid attention when this was demonstrated in front of him because a few days later he told Wired News that the government was suddenly "taking a very serious look" at the scanning issue. He did not say what the result of the serious look might be but maybe they will adopt the Basic Access Control (http://www.icao.int/mrtd/download/documents/TR-PKI mrtds ICC read-only access v1_1.pdf) standard developed by the same people who developed the rest of the standards for electronic passports. See the paper "Security and Privacy Issues in E-passports" by researchers Ari Juels, David Molnar, and David Wagner(eprint.iacr.org/2005/095.pdf) for an analysis of this and other security issues about e-passports.
So maybe it was just that Moss and company just needed to be shown (in public) that they were wrong to get them to listen, we will know soon if they learned any lasting lessons.
disclaimer: Lasting lessons are what places like Harvard are all about but we prefer to not use public embarrassment to get a student's attention anyway the above is my hope, unshared (as far as I know) by the university.