Of Infocard: Who keeps an eye on the guardians?
Why not PGP keysigning?
Nick Kew has raised an interesting point re: Mary Branscombe’s InfoCard piece.
It touches on “quis custodiet ipsos custodies” - who will keep an eye on the guardians? Do you have to have an unblemished reputation in order to manage identity and security? Probably not, in theory – but I bet you won’t get much buy-in from the general public (or, I hope, the press) if your past behaviour is dodgy.
So, some of the companies involved in dealing out identity/security have featured in anti-monopoly cases, have allegedly tricked people into changing their domain registration supplier by giving the impression they’re something they’re not and have failed in “due diligence” on identity generally (in one case, by giving a chancer a Bill Gates ID.
Also, the commercial concept of charging different rates for different “qualities” of identity (the cheapest needing little more than headed notepaper as “proof” of ID) seems to me to be a real gift for fraudsters – and Microsoft’s “do you want to trust all content from this provider” in IE seems fundamentally silly too (the only sensible answer is “sometimes”; not an option).
Personally, I see a need for “trusted third parties” in this space – regulated professionals similar to solicitors and “commissioners for oaths”, who can guarantee that a public key means what you think it does. But I have to admit that Pretty Good Privacy (PGP) trust seems to work well enough, although I’m not sure it will ever suit the technophobe masses.
Anyway, here’s what Nick says, and I obviously have some sympathy with it (although, in the context of the piece commented on, it raises issues rather outside the scope of what Mary was asked for: a developer’s heads-up on InfoCard technology):
“We have an established web-of-trust through PGP keysigning, that is (for end users) altogether preferable to certificate authorities. Why do initiatives like InfoCard not use this, at least as an option?
“Verisign's monopoly position seems to me altogether more damaging than Microsoft's, and I find it deeply depressing that they've been allowed to eliminate so much of the competition (e.g. buying Thawte - the other big name in the identity business) without regulatory scrutiny. And of course they are successor to Network Solutions, the worst monopoly nightmare I've ever had the misfortune to deal with in any 'net business.
“I have a great deal more trust in my colleagues whose PGP keys I've signed than I do in an industry dominated by companies with a very nasty track record.”
PS (federated identity)...
It strikes me that what I've just posted might look inconsistent with my previous comment. Perhaps I didn't express it well in my earlier post - one of the problems with blogging as opposed to face-to-face discussion or formal article-writing!
I don't like institutionalised "weak identities" such as mickey-mouse passwords with zero due-diligence - but providing a less-assured ID as part of an ID system which lets you add assurance reliably, as and when it becomes sensible to do so, isn't "weak identity" in my book.
Kim - "I do not think there is a lot of disagreement between what we are each attempting to achieve" - no indeed - and you're actually helping to build it, I'm just commenting.
I dislike passwords too - but they're not much different to a signature, as long as we stop believing that a "strong password" actually means "strong identity" in practice - any more than we believed that anyone actually checked our credit card signature very carefully.
And no, I really don't want El Reg to ask for retinal scans before people can post here (as an aside, I believe that affordable, commodity, biometrics aren't usually foolproof anyway - I think a jelly finger can fool PC fingerprint readers, eg).
What I want is something more like real-world identity. I meet you, I assume that you are who you say you are, with an informal check via context (if I meet you at a Microsoft Press Conference I'll be more confident than if I meet you at a Wiltshire pub); if I need to send you money, then I'll dig further.
So, for this Blog exchange, weak identity is good enough. If we now enter a business relationship (journalist - Microsoft employee, well dodgy <g>) I don't want to switch to a different high-assurance identity system and possibly advertise that I'm doing business with Microsoft <g>, I want to dig deeper into a net of IDs - are you the Kim at the conference Mary was at, do you actually work for Microsoft on the payroll or are you simply consulting, have you written the books and articles authored by "Kim Cameron", are you on the electoral roll for your town - and eventually, if it's serious enough, will your bank or government vouch for your Identity - and guarantee the transaction. The point is, that it is mostly public domain stuff and I stop as soon as I'm satisfied, for my purposes.
If I have automated assistance, a machine might notice patterns associated with building a fake identity and suggest further unusual correlations to check - adaptive id checking. Mostly, id checking would stop quickly, when it reached something I trusted, in the context of what I was trying to do.
Any one of these bits of ID you can fake but faking the whole web would be difficult, as you don't know what checks I'd make - and there isn't one point of ID for a fraudster to attack. Of course, you really do need process and technology to facilitate this - and a good underlying model.
This make any sort of sense? It seems to fit with what you say: "there are the identity metasystem and visualization components, together allowing new forms of reputation animated from the bottom up and through organic association".
"I hope we can work on this together going forward" - I'm sure we can, but UK journalists are supposed to question (ie "test") everything, even when we are in basic agreement with it...
Given the mastery of Cod Latin demonstrated on these pages, many must have studied the other philosophic and scientific arts as well, so I am loath to intervene except en passant. Unfortunately, however, this won't stop me.
I don't think it is reasonable to expect a person to present an identity which reveals a lot about themselves in order to be able to read, for example, the Register. And in fact, to your credit, you don't. Similarly, in order to post a comment to the Register, readers simply have to demonstrate they own the email address they say they own. Due diligence of some sort is done - but not at a very deep level. I doubt you would ask us for our social insurance numbers or passport numbers before you let us post - and if you did, I doubt we would turn them over.
All this just to say that the kind of "due diligence" and even linkage to a real world identity that is appropriate in any given context is very much a product of the requirements of the moment and the relationships in play.
Certainly, there are contexts in which we, as individuals, require the very strongest forms of identity. This implies strong proofing and strong cryptography.
However, I don't accept the implication that every internet site should then adopt the security procedures and processes essential to top assurance sites such as the large banks you are talking about. It's the don't-cry-wolf problem. For one thing, people just won't do it. They won't understand how the processes serve their self-interest, and will not play. I've never seen this approach to security issues succeed.
So, we need to support identities and mechanisms appropriate to a number of different contexts.
This being said, more than anyone else on the planet, I despise passwords, and agree with you we should work for their abolition. That's what my InfoCard work is all about.
David, as an influential person well versed in security who can really help alter the equations around identity, I hope you will support those of us who are trying to innovate in a number of ways, but don't think the right thing to do is tell the world to throw out the whole conventional https infrastrucure. We need a bunch of mechanisms, and to let the more effective ones win out over time.
High assurance certs, as inperfect as they might be, are one new mechanism; but above all, there are the identity metasystem and visualization components, together allowing new forms of reputation animated from the bottom up and through organic association.
I do not think there is a lot of disagreement between what we are each attempting to achieve. I hope we can work on this together going forward.