[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
Henry Spencer writes:
> On Tue, 20 Nov 2001, Michael Thomas wrote:
> > ...In the particular example given, if my
> > national identity smart card gave away all sorts
> > of private information to any merchant who asked,
> > why should I have any belief that that information
> > will remain private?
>
> Do you expect that your credit-card numbers will remain private, even
> though you give them to any merchant you deal with? Sure you do! You
> may not bet your life on it, but you do bet your credit rating on it.
Actually, I don't. Credit cards are completely insecure and
the only reason that I use them is that the credit card
company is willing to take the hit for fraud, not me.
> Remember, also, that a particular certificate isn't necessarily used to
> authenticate you to *anyone who asks*. It may be used only for quite
> restricted purposes, e.g. to get you through a corporate firewall. The
> expectation of privacy is quite legitimately rather higher in that case.
In the particular example given, this
distinction didn't amount to much. Other
situations might differ, obviously, but
considering that you can't tell a priori
who's demanding your credentials (cf Radia's
post), it seems pretty risky to give out
private data to an unauthenticated party.
Mike
Follow-Ups:
References: