[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Faking one's own e-suicide vs. putting all eggs in the identity basket (SPKI)
- To: firstname.lastname@example.org
- Subject: Faking one's own e-suicide vs. putting all eggs in the identity basket (SPKI)
- From: "Frank O'Dwyer" <email@example.com>
- Date: Fri, 08 Mar 96 10:38:33 0000
- Sender: firstname.lastname@example.org
>Keys and signatures solve persistence of identity.
I believe that people are overlooking one aspect of
'persistence of identify' which I might call repudiation
of identity or faking one's own e-suicide. What if I run
up a bunch of liabilities on a certificate, and then drop
out of the picture only to reappear a week later with a
brand spanking new ISP, a new key/name, and a certificate
from a CA on the other side of the globe? (Distance is
dead, after all :-) It seems to me that neither ID-based
or Key-centric systems are good at dealing with this, but
that ID-based would handle it slightly better. (Only
because there are real-world proofs of identity, such
as passports, etc. Of course, DNA-based identity
would handle it better again, which I hope is enough to
set off alarm bells for anyone.) In any case, you should
be able to make an ID based system out of a key
However, ID-based certificates have their own problems.
For example, I haven't seen the following problem
discussed at all:
If I can trade my VeriSign certificate (my
identity) for various kinds of online permission, such as
a permission to spend $1,000 in an e-shop, or a permission
to make a commitment on behalf of my company, then
this seems to me to violate the principle of least privilege.
Because, having that identity (private key) is as good as
having all of those privileges at the same time--you can go
get any of them when ever you want. All of a sudden, identity
is the cornerstone of everything, and having a fake identity
becomes extremely attractive. So does getting me to run
a trojan horse. If all eggs are in the identity basket, then the
likes of VeriSign would need to be trusted to an outrageous
extent. (In fact, I don't believe you could construct such trust
without conning people.) In an identity-centred online world,
having the power to create an online identity is much more
power than it appears at first blush. It is e-omnipotence.
And, if identity systems are the norm, you have no choice!
Verifiers will believe the certs, even if you might wish
they wouldn't. At first sight, it looks like this is the verifier's
problem, but it isn't always. For example, an identity CA
(or the cleaning staff at the CA's building :-) can invent a
certificate for you whether you request it or not, and since
e-it is now e-you, it can proceed to strip you of your online
assets! "Hey, he said he was you". Aside from privacy
arguments, I believe there is a strong security case here
for having an online transaction trust system that
_need_not_ be based, directly or indirectly, on identity
proofs done by clients.
Now, you could limit the power of an identity certificate by
mixing in attributes that says just what the certificate is limited
to doing, but at that point, the cert. does not certify _identity_
any more. There is a subtle difference. The cert doesn't say
"this is Frank O'Dwyer" any more it says "this is one of Frank
O'Dwyer's keys, the one authorized for transactions up to
$2000". And what's the useful difference between that and
"this is a key authorized for transactions up to $2000"?
Just a few thoughts.