May 21, 2005
To live in interesting times - open Identity systems
As the technical community is starting to realise the dangers of the political move to strong but unprotected ID schemes, there is renewed interest in open Internet-friendly designs to fill the real needs that people have. I've written elsewhere about CACert's evolving identity network, and here's another that just popped up: OpenId. Eagle eyed FCers will have noticed that Dani Nagy's paper in FC++ on generating RSA keys from passphrases speaks directly to this issue of identity (and I'm holding back from nagging him about the demo .... almost...). Further, and linked more closely again, there is renewed interest in things like the difficult problem of privacy blogging. Oh, and Stefan says it's not as easy as just using keys.
In a sense this is feeling a little like the 90s. Then, the enemy was the US government as it tried to close down the Pandora's box of crypto, and the net with it. This war sparked bursts of innovation epitomized by the hard lonely fight of PGP and the coattails corporate rise of SSL's bid for PKI dominance.
President Clinton signed that war to the history books in January 2000 when he gave permission for Americans to export free and open source crypto software **. Now the battle lines are being sketched up again with the signing into act last month of the REAL ID national identity card in the United States. Other anglo holdouts (UK, Canada, Australia, NZ, ...) will follow in time, and that would put most of the OECD under one form of hard identity token or another.
The net effect for the net is likely bad. The tokens being suggested in the US will not be protected, as the Europeans know how to do; one only needs to look at phishing and the confusion called the social security number to see that. Which predicts that the ID schemes will actually be only mildly useful to Internet ventures, and probably dangerous given the distance and the propensity of Identity thieves (a.k.a. fraudulent impersonators).
Yet something will be needed to stand in the place of the identity cards. It isn't good enough to point out the flaws in a system, one must have something one can claim - hopefully honestly - is better. So I feel the scene is set for a lot of experimentation in the field of strong authentication and identity systems. Hopefully, more along the lines of Stefan's privacy preserving notions and Dave Birch's frequent writings, and less along the lines of Corporate juggernaughts like Passport and LIberty Alliance. Those schemes look more like camoflauged hoovers for data mining than servants of you the user.
We may yet get to live again in interesting times, to use the Chinese parable.
Postscript **: But not closed source, not paid for, not hardware and not collaboration or teaching! Gilmore and others report signs that the United States Government is perhaps again renewing its War on Mathematics by clamping down on foreign students in Universities.
Posted by iang at May 21, 2005 09:07 AM
The first part of the post is most probably known to readers of this blog: the second part is a question.
Imagine that a law is passed that makes it compulsory for the key to your house to be the same as the key to your car; thus, at a stroke, the key has become more valuable, since it enables access to more property. The law makers continue by making it compulsory for the key that gives you access to your house and car, now has to be the same key that allows access to your bank account. The value of the key massively increases; since, if it is stolen, the thief has access to your house, car, and bank account. Readers of this blog will realise that the key in the preceding description is an analogy of identity and that the scenario depicts the first of the two ss's (Stupidity and Sovereignty) of identity politics. The other S, sovereignty, being that the state demands the right to issue all keys. (We can wax on about pass laws, an arbitrary means of discrimination and the incredible evil that lurks therein but lets not ...).
Instead, I want to ask a question pertaining to the first, S, viz stupidity. If the threatened legislation comes to pass, will the legislative body accept all liabilities of loss from identity theft? Obviously, not ... but, are they painting themselves into a corner where they may end up being forced to accept the consequences of jeopardising the property of those that are on the receiving end of these laws? (I'm thinking along the lines of tort laws etc ... Or is this just wishful thinking nonsense?).
there is a somewhat related issue that could be raised regarding person-centric tokens vis-a-vis institutional-centric issued tokens. the current infrastructure tends to be institutional-centric and there is a different, unique token (actually potentially several) per institution. periodically these are referred to as identity tokens ... but being institutionally-centric they more often actually are autentication tokens (a one-to-one mapping for a specific domain).
the opposite extreme is if institutional-centric tokens take off and you are issued one or more in lieu of every pin/password, every physical key, and every magstripe card ... that you currently possesss or utilize. this potentially results in at least scores of tokens per individual (if not hundreds).
sort of the opposite would be person-centric token paradogm. a person would have one or more tokens that they own ... and they would have the discression to register the token of their choice with institutions as the authentication token for interactions with that institution (transactions, access, open the door, etc).
most institutional interactions are looking for a one-to-one mapping for authentication purposes (are you the authorized individual for performing transactions on a specific account ... or are you an authorized person allowed to open a specific door).
a lot of confusion occurs when identification is mistaken for authentication. authentication wants to know if you are authorized to do something .... w/o needing to actually pick out what person from possibly millions you might actually happen to be (identification). i can assert that i authorized to use a certain account or open a certain door and provide authentication information to back up that assertion. that doesn't require me to identity myself ... just to authenticate myself.
this was one of the mistakes of the x.509 identity certificates from the early 90s. part of the issue was that certification authorities weren't confident that they could predict what information about you that might be required by some unknown, random relying-party at some point in the future. so there was a tendency to believe that x.509 identity certificates should be grossly overloaded with excessive amounts of personal information.
some number of institutions in the mid-90s came to the realization that x.509 identity certificiates, grossly overloaded with excessive amounts of personal information represented significant liability and privacy issues. at that point you saw some retrenchment into relying-party-only certificates ... basically containing some sort of index or key that could be used to lookup a specific record in a database (aka an account number or a userid) ... which was, in turn bound to a public key. however, a typical relying-party interaction involved some sort of digitally signed message that also contained the record index. It was at this point that you could demonstrate that relying-party-only certificates were redundant and superfluous since the relying-party could retrieve the indicated record and utilize the onfile public key for verifying the digital signature w/o ever having to resort to use of the digital certificate.
numerous past postings on relying-party-only certificates
a couple past postings on person/institutional centric issues:
http://www.garlic.com/~lynn/aadsm12.htm#0 maximize best case, worst case, or average case? (TCPA)
http://www.garlic.com/~lynn/2005g.html#47 Maximum RAM and ROM for smartcards
http://www.garlic.com/~lynn/2005g.html#57 Security via hardware?
did you see all the recent press on microsofts move into the identity market?
its very bizarre, and read like it was some sort of philosophical bantering, but seemed to have no substance whatsoever. In other words, after reading through all their PR I came away with no information and no real clear idea about how they are going to implement whatever it is they are promoting.
A friend tells me this is the first move to combine .passprt with the credit card and a big rollout of subscription based software which I guess is something like inet2's hub structure. So in the future one could subscribe to word and use it online for a monthly fee and the id system would be all intermingled with the operating system.
i can't believe i am writing these words. That scares the crap out of me.
This is all one needs to know:
I don't know, but I get this strange feeling this departure will somehow cripple microsoft.