[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI: identity protection and DOS




How do I know whether I trust the other party
before I divulge my identity? Somebody has to go
first. And the world isn't just clients and
servers. In the particular example given, if my
national identity smart card gave away all sorts
of private information to any merchant who asked,
why should I have any belief that that information
will remain private? Private information should be
kept private. Expecting that authenticatable but
untrustworthy opponents will keep your private
information private is silly.

	    Mike

Henry Spencer writes:
 > On Tue, 20 Nov 2001, Michael Thomas wrote:
 > > ...Anybody who puts private
 > > information into a public document such as a X.509
 > > cert is foolish and doesn't deserve consideration
 > > because it starts from a false premise...
 > 
 > Speaking of false premises:  X.509 certs are not necessarily public
 > documents.  They have to be revealed to *some* other parties, e.g. the
 > servers you want to connect to, but that doesn't necessarily mean you are
 > (or should be) willing to reveal them to everyone. 
 > 
 > Analogy:  it is necessary to reveal your credit-card number to merchants
 > you wish to buy from, but you still want it protected against snoopers.
 > 
 >                                                           Henry Spencer
 >                                                        henry@spsystems.net
 > 


Follow-Ups: References: