I just want to make sure I understand the general position on this issue....
1. Security experts and frequent flyers complain that TSA's BP/ID checks can be thwarted by forging or altering the boarding passes at home.
2. In response, TSA and the airlines test encrypted boarding passes, which would make it more difficult or impossible for the average person to forge or alter a boarding pass successfully.
3. Some of the same experts and frequent flyers who complained about the forgery problem complain that the new measure may inconvenience them by making it more difficult for them to forge or alter their boarding passes.

Am I missing anything?

yeah like the whole point that none of it adds to security just hassle and alot of expense ontop of the mt Everest sized turd called tsa

The need for a more secure boarding pass has been discussed many times, by many people. I suggested the need for a secure boarding pass on my blog back in October. It has nothing to do with terrorism, but more to do with seeking out a way to verify a boarding pass. The hard part is making a secure boarding pass, that also removes the TSA from handling airline revenue issues.

I wrote about this topic in detail today on my Boarding Area blog here:
http://boardingarea.com/blogs/flying...-last-october/

Thanks for the link. Good article.
Personally, I'm not convinced that the focus on boarding passes and ID is the best place to spend security resources. (Of course, I'm also certain that I'm not privy to all the relevant info.) I just wanted to make sure I hadn't missed some part of the debate.

Spot,

There are various ways the TSA can focus its resources on security, outside of the encrypted bar code.

For economic resources, the bar code is really more effective as an airline revenue management tool. As airlines continue to roll out 'e-boarding pass' on Mobile Phones & PDAs, the scanners will be deployed eventually to most TSA check points and airlines will cover the expense of creating the encrypted boarding pass system, the actual costs will be minimal.

The DHS needs to refocus the role of the TSA and this new system will have its complications, but it can be a good thing if implemented correctly.

There is no real hassle with the scanning of an encrypted bar code. You hand the boarding pass to the TDC, they scan it while staring at your ID with a flash light and magnifying glass.

Either it matches up or it doesn't. It should actually reduce hassles.

I certainly think the encrypted BPs can be a good thing, especially if the program is a partnership with the airlines (as in, good for both the airlines and TSA, and supported by both groups). The potential problems, however, concern me.

I certainly don't want futher mission creep within TSA. Our job is not to run a criminal dragnet, and the notion of using this type of system to check NCIC status, or and criminal or immigration inquiries. I grow increasingly concerned when I hear about proposals to use TSA ID checks for this purpose. I see the value of getting bad guys off the streets, but I think the cost in decreased civil rights is too great to bear.

Furthermore, in the current economic and political situation, government should be particularly critical of where it spends cash and other resources. If this can yield real security benefits that are directly related to TSA's mission, I am glad for it. I have not read anything in public sources that indicates the sort of benefit I would hope to see.

On the other hand, if this is an item that the airlines want to offer, and TSA is merely cooperating with industry requests, I think it should be explained as such. After all, regulatory agencies are not supposed to inhibit or harm the growth and development of private industry. Regulatory agencies are simply supposed to make sure that public interests and safety are protected.

Ah, there's the rub. TSA has a history of stuffing up the introduction of new technology, from unreliable puffers to "kindergarden safe" mmw scanners to inspecting print-at-home BPs with blacklights. :rolleyes: Why would this be any different?
That assumes that the accuracy of the scanning is 100%. I wouldn't bet on it. Especially when the outcome of a false positive is being handed over to the police. :eek:

As I said elsewhere, I think this is the "new toy" syndrome rather than any genuine attempt at (imaginary) security.

And checking IDs does not add to security, nor is it TSA's job to protect airline revenue or catch criminals.

I can confirm.

Fish i was talking about from the airlines side from IT implementation, and even more on TSA for having to buy yet another gadget(to add to the black light) to waste tax payer money for no benefit. Its a 360 degree waste of money and time on all fronts for no benefit

you dont even have to get me started on the ID checking thing as thats BS from the word go, even more so that its not compared to anything. I could care less about fakes because 99.999% TSA doesnt know the difference between real and fake anyways unless it was a poor job that a blind person could pick out at a 100m. I also know where i can get novelty IDs that are dead on that even the cops cant tell there fake as there encoded correctly down to the RFID and mag strips.

Name-matching accuracy done comparing two printed documents is higher than of name-matching done comparing a printed document and an electronic display. That means a slight name adjustment that beats Soundex-type processing would work for a person whose name is on the blacklists to actually avoid the blacklists still -- at least unless the plan is to make an extraordinary suspect of every passenger who doesn't have a SecureFlight "approved"/"searchable" profile.

SecureFlight approved passenger profile = "registered" traveller. That's the backdoor way to getting this done.

Because you can book your ticket under a false name and avoid the no-fly list. Your ID is only checked against your boarding pass, not your ticket.

This adjustment is still a waste -- aside from ID still not being security, these stupid blacklists remain readily circumventable even with ID checks being run against electronically-displayed boarding pass info (even when it includes an encrypted authentication method).

Stupid waste of money.

I was going to suggest that asymmetric key encryption is likely going to be used here (thus obviating the issue of the TSA losing the airline keys), but I then realized that the size of the keys (at least 128 bytes) is not going to lend itself to a BP as you pointed out. So I agree. This is the clipper chip fiasco all over again.

Another problem is that the airline changes the key, the pax generates a BP from the new key, and the TSA in Dogpatch Municipal airport didn't get the update. Pax is hauled away as a terrorist. Or the pax generates the BP from the old key, key is updated, and Dogpatch gets the update but does not have the old key. Same result.

At best, when a key update fails, the airport becomes a nightmare as pax go back to the check in counter to get new BPs. The airlines have long since re-aligned their (i.e. reduced) their staffing based on the assumption that most pax get BPs from a kiosk or PC. So the TSA will likely give up on descrypting BPs on days when the key update fails. Obvious avenue for a mischief maker.
A competent terrorist won't be on the no-fly/selectee list because he will be using a false name, and either fake ID, or the Real ID of someone who resembles him (where that someone is in cooperation with the terrorist, or that someone is dead in the trunk of the car the terrorist parked at the airport).

Really disappointing quote:
I can only hope that Schneier's comment was taken out of context.

This is purely about preserving airline revenue models, nothing else.

We really should just keep a running tab at this point.

You gotta wonder. How many child vaccines could we pay for with this money? Or life-saving cancer treatment research? It really is sickening how we throw money down the drain. :(