[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: global names are a security flaw

Ed Gerck wrote:
> (snip>
> My example of biometrics was just to show that global names not only exist
> but are also definitely not a security or a privacy flaw. Rather, they
> were used in my posting with a Gedankenexperiment to show that global
> names can indeed enhance security while keeping privacy.

The problem with the global name is not the name itself, but the
difficulty of correctly associating it with the proper actor. Given that
you can do this, then agreed, there is no security flaw. But making the
association is the crux of the problem.

> (snip)
> -> [snip, discussion of biometric credentials]
> -> Equipping them with those credentials, even supposing it's
> -> ethically and politically feasible, runs into precisely the kind of
> -> problem Carl described.
> No, these are three entirely different problems:
> 1. Global names are not a security flaw. Period.
> 2. Biometrics have limited application. Agreed, but besides the point.
> 3. "the kind of problem Carl described" could just as well be exemplified
>    with local names. It is due to a poor protocol, not to a poor naming
>    scheme. It has nothing to do with a "flaw" of global names.

It has everything to do with the flaw of global names. And what you
dismiss as a "poor protocol" is one of the results. History shows us
that it is extremely difficult to design secure authentication
protocols, even when the protocol is being managed by computers. When
the task is to design protocols for human agents, then the resulting
protocol is always going to be vulnerable. If I can't attack the
protocol directly, I can bribe or coerce one or more of the human agents
performing the protocol (many of whom are not in high-paying jobs, and
may be quite peripheral to the PKI itself (e.g. mail carriers)). 

The point is that the global name is not very helpful to the human agent
who's trying to perform a protocol that associates that global name with
a live person. The local name *does* help, because it's qualified by a
series of traceable and verifiable references. The protocol that
associates the local name with a live person therefore places little or
no reliance on disinterested agents who may be bribed or coerced. It's
therefore less vulnerable than the protocol needed for association of a
global name, which is inherently more complex, leading to inherent
vulnerability, and which necessarily places substantial reliance on
disinterested third parties.


Bill Buffam
Unisys, Malvern PA