Tuesday, December 07, 2004

Beyond Identity

This is a very big topic on which I've written a lot, but I felt the need to follow up the previous post with a positive message.

1. We should set "identity" aside as a non-issue.

2. The real issue is that we need to do one of two things:
a) make a security decision
b) track someone down to punish, after the fact

Most "identity" establishment is in support of 2)b) - and is of little interest to me. Making sure that people online are identified is an attempt to get good behavior by threatening to do 2)b).

I'm interested in 2)a) - making security decisions - like whether or not to offer personal information to a web site, whether to reply to some e-mail that could be real or could be phishing, whether to open some e-mail attachment, whether to install some code on my computer, whether to share intimate secrets with some e-mail correspondent. These are all security decisions. The ability to punish someone after the fact, if that person misrepresented him-/her-self so that I made a bad security decision is nonsense. Will I be able to find that person? Will I be able to extradite that person from the former Soviet Union (or wherever they're hiding)? Will I have the money to punish the person? Will any monetary damage award compensate me for loss of some secret?

When I make a security decision, I do two things:
i) authenticate the other party
ii) make an authorization decision based on that authenticated ID

An ID mechanism that doesn't include an authenticator that I can verify or one that can be spoofed is very lame.

As I alluded to in that previous post, an ID mechanism that doesn't give me information that I need to make my security decision is completely pointless. This is where X.509 falls apart.

To use X.509 terminology, there are three parties:

CA: the certificate authority - who does the name creation and presumably identification and authentication process prior to certification

EE: the end entity - the person being named and certified

RP: the relying party - me - the person who has to make a security decision

If there's an ID mechanism that binds a person to an ID only the CA considers really meaningful, that might be used for 2)b) but it's useless for 2)a) - and therefore useless to me. As I said above, 2)b) is nonsense in today's world - especially given the Internet.

We have many mechanisms that allow us to authenticate (step (i) above), such as public key authentication. That's good. What we completely fail at is establishing identity in a way that makes sense to the RP (supporting step (ii) above).

My belief is that if we stick to the two steps of a security decision and determine how securely (accurately) we can do each of the two steps - assuming we are surrounded by active attackers looking for any way to defeat our system - then maybe we have a chance.

2 Comments:

Blogger Jon Lasser said...

2. The real issue is that we need to do one of two things:
a) make a security decision
b) track someone down to punish, after the fact

Most "identity" establishment is in support of 2)b) - and is of little interest to me. Making sure that people online are identified is an attempt to get good behavior by threatening to do 2)b).
This has been bothering me for a while (since I read the initial post) and I've finally figured out why:

Those are the functions of identity establishment that you feel are legitimate, the ones you're comfortable with. (The ones that are cypherpunk-accepted as necessary, perhaps?) But they're not the primary use of identity-establishment.

The primary use of identity establishment is surveilance, whether as part of a criminal probe, a marketing profile, or 'casing' by criminals. Government and business have shared interests in identity establishment. Not just parallel interests -- the sharing of data between these two indicate that the particulars are shared.

Identity is a tag for them to hang behaviors ("He's buying grow-lights at a store that supplies many marijuana growers.") and attributes ("He lives as 123 Main Street."). Identity is, essentially, a database primary key ("We should bust the probable marijuana farmer at 123 Main Street.") --- and, not coincidentally, somebody to arrest. ("The body of the person.")

Marketroids' interests are sometimes more subtle, but broadly compatible. ("Let's sell the guy buying grow lights a piss test cheat kit, or a bong, or something.") Identity lets them target messages more effectively ("It's no use trying to sell his wife cheetos, she's not a drug user.").

All of which, I guess, isn't really news to you. Nor is the notion that those are the people with vested interests in identity-as-intersection (or even identity-as-probablistic-intersection, as in your more recent posts).

Ultimately, I believe that the people with interest, time, and money to build identity systems aren't interested in 2a), but primarily in the unstated 2c) - to track someone down to punish (or purchase) BEFORE the fact, which I see as a privacy violation. They'll never fund something that allows only 2a) to occur, if it doesn't allow 2c) to occur as well.

I'll also note that the belief in the identity of someone we've never met in the flesh is a cumulative process of sorts... but I'm not entirely sure that either of these points is directly relevant to your question.

I also think that your notions of identity, which are rather defensible from a philosophical and mathematical standpoint, are so counterintuitive to the average end-user that they can't be made to work. (This is the same reason that public-key crypto hasn't taken off in any meaningful way, and still relies on CA hierarchies: because the other approach is too counterintuitive to people with no background other than common sense...)

In short, I wonder: Is this a losing battle? Can we really gain ground (or even lose ground less quickly) by fighting it? What are the possible end-states? Are any desirable?

3:44 PM  
Blogger cme said...

Good point, Jon.

I wasn't thinking of traffic analysis (data mining; data aggregation; surveillance; ...) as part of the identity problem. Of course, it is. I was looking only at the white hat side of use of identity.

Have you read the NRC report? (linked to by Bob Blakley in his comment on my Axioms of Identity post) They intentionally covered both sides of the issue.

2:29 PM  

Post a Comment

<< Home