[HN Gopher] NIST: Personal Identity Verification (PIV) of Federa...
___________________________________________________________________
NIST: Personal Identity Verification (PIV) of Federal Employees and
Contractors
Author : stefankuehnel
Score : 104 points
Date : 2024-03-23 14:04 UTC (1 days ago)
(HTM) web link (nvlpubs.nist.gov)
(TXT) w3m dump (nvlpubs.nist.gov)
| acidburnNSA wrote:
| I'm glad they explain how to write names on the card for even
| very long names, like: "Dingo Pontooroomooloo Vaasa Silvaan
| Beenelong Wooloomooloo Warrandyte Warwarnambool"
| deepsun wrote:
| How?
| bee_rider wrote:
| Table 4-1 on page 44, I think.
| mschuster91 wrote:
| To send you down a bit of a rabbit hole: ICAOs standard 9303
| [1] on how to _abbreviate_ long names for use on the MRZ of
| international travel documents uses the exact same examples.
|
| [1]
| https://www.icao.int/publications/Documents/9303_p4_cons_en....
| (page 30)
| omoikane wrote:
| I wonder how they came up with this. I thought it was unique
| to FIPS 201 but looks like ICAO has it too. Is there like a
| lorem ipsum generator but for text that looks like names?
| doctor_eval wrote:
| That is weird. Dingo is an Australian native dog. Wooloomooloo
| and Bennelong (slight spelling difference) are in Sydney,
| Australia. Warrandyte is an outer suburb north of Melbourne.
| Warnambool (not Warwarnambool) is a town to the west of
| Melbourne. I've been to all of them.
|
| Why so much Australian in this example?!
| rkeene2 wrote:
| PIV and CAC (DOD, but is now a PIV with CAC-NG) has been around
| for a very long time. Passwords haven't been permitted in the US
| Government since a short time after the signing of HSPD-12 in
| 2004.
| joesnark727 wrote:
| Lol
| joesnark727 wrote:
| https://www.crn.com/news/security/2024/ivanti-discloses-
| fift...
| codeslave13 wrote:
| Thats blatantly false. I just left an agency with passwords on
| all thier unix boxed. With zero rotation policies. Its a
| shitshow
| Abekkus wrote:
| You both can be right, US Gov will write well-intentioned
| policy that none of their live teams can keep up with, even
| after 20 years, _and_ I haven 't yet seen a practical
| enterprise authentication architecture that doesn't fall back
| on passwords somewhere.
| rkeene2 wrote:
| Within the DOD the most common solutions are SSH keys using
| the CAC, Kerberos with PKINIT, or using some type of
| intermediate systems to handle the auth like CA PAM.
|
| There can still be a root password for emergencies, but it
| wouldn't be available for remote access -- ILOM or some
| other BMC (or even a serial port concentrator) would be
| configured for HSPD-12-compliant auth for remote console
| access, then you would use the root password for system
| access (though you could also just reboot into a separate
| operating system, since disk encryption isn't required
| except for mobile devices).
|
| I'm not sure what the above poster's command or
| organization was doing to comply with HSPD-12, but they
| were most likely doing something. The compliant reports are
| generally public, also.
| imwillofficial wrote:
| Having long a storied history in DoD contracting, this is
| not the case.
|
| CAC login is for web only in most cases.
| evanjrowley wrote:
| PuTTY-CAC was an interesting, although imperfect solution
| to using PIV/CAC cards together with SSH. I remember
| piloting it from 2013-2014 at an agency. Back then, it
| was maintained by Dan Risacher[0]. Nowadays it is
| maintained on GitHub[1] and adopted some interesting
| features like FIDO.
|
| [0] https://risacher.org/putty-cac/
|
| [1] https://github.com/NoMoreFood/putty-cac
| rkeene2 wrote:
| I started out as a federal civil servant in the late 90s
| working for the Navy and switched to contracting shortly
| thereafter, working at mostly US DOD customers (Navy,
| Army, USSOCOMHQ), but also DHS (HQ and all components
| minus SS and CG).
|
| In my experience, at every place we had a different
| approach but all satisfied HSPD-12 and did not use
| passwords shortly after the various directives were
| promulgated through the various channels, except on
| classified systems since there wasn't a procedure at the
| time to declassify the CAC/PIV after periods processing
| -- though there were plans for changing that, and it may
| be resolved by now.
| imwillofficial wrote:
| I won't go into detail, but my experience was not the
| same, not even close.
| ptcrash wrote:
| Yes but PIV/CAC identity is not related to break-glass
| passwords. They both serve different purposes and it's
| safe to assume that the typical government worker will
| only ever need to use their smart card to authenticate
| into systems.
| jhbadger wrote:
| But could you get into the network to access the UNIX boxes
| without a PIV card? That's how the NIH works -- the UNIX
| boxes do have passwords, but unless you are on campus you
| have to connect to the VPN with your PIV card first.
| rsfern wrote:
| NIST has a similar setup. There's an exemption for e.g.
| summer students who are issued temporary non-PIV badges,
| but they're issued a yubikey that's required to access the
| network from off campus
| p_l wrote:
| Recentish Yubikeys have PIV functionality too (I have
| used that to login to work macbook in place of passwords)
| pigbearpig wrote:
| Maybe, just maybe it's possible the US Government is an
| enormous entity and there could be some inconsistencies.
| torstenvl wrote:
| It depends. There are IL2-exposed sites that permit password
| login, and interface with IL4 backends (milConnect and DEERS,
| MOL and MCTFS, etc.). I'm not sure what the ATO process looks
| like for those systems though. But you're not getting direct
| IL4+ access without a CAC somewhere.
| jki275 wrote:
| LOL.
|
| Nice theory, but has no actual connection to the real world.
| tiffanyh wrote:
| (2022)
| wolverine876 wrote:
| (PDF)
| sparcpile wrote:
| I use a PIV Badge as a FAA contractor. We're told to never use
| the PIV badge as a means of identification anywhere. The
| documentation doubles down by mentioning to never use it as an ID
| at an airport. I've been told it is because FAA employees would
| use it and the airline workers would then freak out that the
| employee was there to inspect them.
| plasma_beam wrote:
| I'm a contractor for DHS and heard a rumor a long time ago that
| you could get special treatment with TSA agents when using your
| DHS badge as identification. Yeah no. Doesn't work :) Southwest
| did give me a free drink one time though and thanked me for my
| service - they saw the laptop and piv plugged in while I was
| working on the plane and thought I was military. I did correct
| them but also took the free drink.
| saghm wrote:
| > We're told to never use the PIV badge as a means of
| identification anywhere
|
| I must be misunderstanding what you mean by this, because I'm
| struggling to fathom what possible use a "personal identity
| verification badge" could possibly have _other_ than as a means
| of identifying yourself.
| aimonster2 wrote:
| You don't use your PIV anywhere because you don't want your
| creds--certs, etc--to be swiped. You use it for facility access
| and PKI.
| hendler wrote:
| Not sure why this was posted and made it to the front page but
| identity is certainly critical infrastructure with further
| challenges coming soon.
|
| Surprised no one has mentioned the open sourcing of the Orb in
| this context https://worldcoin.org/blog/engineering/worldcoin-
| foundation-...
| deathanatos wrote:
| I had to get one of these recently. (And thankfully, I am done
| with the government for a while.) If you want a process that will
| make you believe "wow, we have too much bureaucracy in this
| country", then get a PIV card. By the end, I thought I was
| definitely just being strung along in some sort of eternal joke,
| and had started joking that the reward for completing forms was
| more forms.
|
| So many forms. Randomly imposed, arbitrary deadlines that were
| utterly impossible. (And ... not really deadlines, since you can
| just email and say a polite "how about no" & magic extensions
| happen.) Forms that were submitted by encrypting them into a zip,
| and then sending zip+password in an email...?
|
| The person who fingerprinted me was royally annoyed at me for
| showing up with all the materials their office had told me to
| show up with, but _not_ having the materials that I wasn 't told
| to show up with. (And that I wasn't "in the system" -- okay. I'm
| new! I don't know why that is, nor who to ask, nor what 98% of
| the acronyms mean.)
|
| You want to _stop_ being a contractor, and give the PIV card
| back? More forms.
|
| I started jokingly wondering when signatures in blood happen.
|
| Definitely wasn't worth it, in my case.
| Avamander wrote:
| It's weird to read this coming from a country that basically
| bundles PIV with your ID. Once every few years you take a new
| picture and go grab it from a police station in half an hour
| and that's basically it.
|
| And at the same time support this widespread would not exist
| without the U.S. using PIV, so I'm glad people bother :D I also
| recall some U.S. government site recommending a small and sleek
| card reader designed here (folds into an USB-stick shape).
|
| Hopefully these processes improve and systems become more
| interoperable cross-borders at some point.
| 2devnull wrote:
| "Forms that were submitted by encrypting them into a zip, and
| then sending zip+password in an email...?"
|
| I suspect that's not too uncommon.
| GauntletWizard wrote:
| I'm working on a personal project using PKCS11 stuff. I'm glad
| for the commonality of PIV cards - It's a terrible standard but
| it's intercompatible enough that it's made HSMs suitable for SMB
| very cheap.
| rkeene2 wrote:
| I do a lot of PKCS11 stuff, let me know if there's something I
| can help with.
| EvanAnderson wrote:
| PIV cards in Windows work shockingly well out of the box. I
| bought some Taglio-branded PIV cards to play with and have
| certificate-based logon to my webserver going in just a couple
| of hours. Logon to Windows itself took more work but wasn't too
| difficult.
| 1attice wrote:
| Does literally no one in the US federal government use online
| dating/hookup services? _how_ is this called PIV. Like, the
| giggling alone would disqualify me from most jobs
___________________________________________________________________
(page generated 2024-03-24 23:02 UTC)