Re: SOI: identity protection and DOS

[Michael Thomas <mat@cisco.com>]

Henry Spencer writes:
 > On Tue, 20 Nov 2001, Michael Thomas wrote:
 > > ...In the particular example given, if my
 > > national identity smart card gave away all sorts
 > > of private information to any merchant who asked,
 > > why should I have any belief that that information
 > > will remain private?
 > 
 > Do you expect that your credit-card numbers will remain private, even
 > though you give them to any merchant you deal with?  Sure you do!  You
 > may not bet your life on it, but you do bet your credit rating on it.

   Actually, I don't. Credit cards are completely insecure and
   the only reason that I use them is that the credit card 
   company is willing to take the hit for fraud, not me.
  
 > Remember, also, that a particular certificate isn't necessarily used to
 > authenticate you to *anyone who asks*.  It may be used only for quite
 > restricted purposes, e.g. to get you through a corporate firewall.  The
 > expectation of privacy is quite legitimately rather higher in that case. 

   In the particular example given, this
   distinction didn't amount to much. Other
   situations might differ, obviously, but
   considering that you can't tell a priori
   who's demanding your credentials (cf Radia's
   post), it seems pretty risky to give out
   private data to an unauthenticated party.

		Mike

---

Follow-Ups:

• Re: SOI: identity protection and DOS
• From: Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
• Re: SOI: identity protection and DOS
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: SOI: identity protection and DOS
• From: Michael Thomas <mat@cisco.com>
• Re: SOI: identity protection and DOS
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: IKEv2 (son-of-ike) draft
• Next by Date: Re: IKEv2 (son-of-ike) draft
• Prev by thread: Re: SOI: identity protection and DOS
• Next by thread: Re: SOI: identity protection and DOS
• Index(es):
  • Main
  • Thread