Feeds

Of Infocard: Who keeps an eye on the guardians?

Why not PGP keysigning?

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Nick Kew has raised an interesting point re: Mary Branscombe’s InfoCard piece.

It touches on “quis custodiet ipsos custodies” - who will keep an eye on the guardians? Do you have to have an unblemished reputation in order to manage identity and security? Probably not, in theory – but I bet you won’t get much buy-in from the general public (or, I hope, the press) if your past behaviour is dodgy.

So, some of the companies involved in dealing out identity/security have featured in anti-monopoly cases, have allegedly tricked people into changing their domain registration supplier by giving the impression they’re something they’re not and have failed in “due diligence” on identity generally (in one case, by giving a chancer a Bill Gates ID.

Also, the commercial concept of charging different rates for different “qualities” of identity (the cheapest needing little more than headed notepaper as “proof” of ID) seems to me to be a real gift for fraudsters – and Microsoft’s “do you want to trust all content from this provider” in IE seems fundamentally silly too (the only sensible answer is “sometimes”; not an option).

Personally, I see a need for “trusted third parties” in this space – regulated professionals similar to solicitors and “commissioners for oaths”, who can guarantee that a public key means what you think it does. But I have to admit that Pretty Good Privacy (PGP) trust seems to work well enough, although I’m not sure it will ever suit the technophobe masses.

Anyway, here’s what Nick says, and I obviously have some sympathy with it (although, in the context of the piece commented on, it raises issues rather outside the scope of what Mary was asked for: a developer’s heads-up on InfoCard technology):

“We have an established web-of-trust through PGP keysigning, that is (for end users) altogether preferable to certificate authorities. Why do initiatives like InfoCard not use this, at least as an option?

“Verisign's monopoly position seems to me altogether more damaging than Microsoft's, and I find it deeply depressing that they've been allowed to eliminate so much of the competition (e.g. buying Thawte - the other big name in the identity business) without regulatory scrutiny. And of course they are successor to Network Solutions, the worst monopoly nightmare I've ever had the misfortune to deal with in any 'net business.

“I have a great deal more trust in my colleagues whose PGP keys I've signed than I do in an industry dominated by companies with a very nasty track record.”

Security for virtualized datacentres

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.