Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
What is Digital Identity?

By philb in Technology
Thu Apr 11, 2002 at 05:45:33 AM EST
Tags: Focus On... (all tags)
Focus On...

A Digital Identity is the representation of a human identity that is used in a distributed network interaction with other machines or people. The purpose of the Digital Identity is to restore the ease and security human transactions once had, when we all knew each other and did business face-to-face, to a machine environment where we are often meeting each other for the first time as we enter into transactions over vast distances.


The Digital Identity representation only needs to be as complete as the particular transaction involved requires. That is to say, some transactions require a far more robust Digital Identity than others, since the degree of trust and information required can vary significantly based on the type of transaction. A Digital Identity consists of two parts:

  1. Who one is (identity)
  2. The credentials that one holds (attributes of that identity)

These credentials that define a Digital Identity, and they can be quite varied, of widely differing value, and have many different uses. The full Digital Identity is quite intricate and has legal as well as technical implications (here is a MIT white paper on the subject that will give you the idea.) However, the simplest possible Digital Identity consists of an ID (such as a user name) and an authentication secret (such as a password).

In this simplest Digital Identity the user name is the identity while the password is said to be the authentication credential. This simple Digital Identity is encountered in a logon sequence, and calling it a Digital Identity may seem a bit much until you realize its purpose is to identify you to the system you are logging into. As computerized systems become more networked and distributed, the Digital Identity must become more robust to make complex distributed user interactions easy while achieving the required control and security for the Digital Identity's information. Ultimately Digital Identity will become as complex and flexible in use as a real-world human identity.

Authentication

From a security standpoint a Digital Identity must "prove" it is what it is representing itself to be in an electronic transaction. The transaction or transactions which "prove" that the Digital Identity presented really represents who or what it says it does is the process of authentication. Without authentication, no other Digital Identity attribute can be meaningful. As the word implies, the purpose of authentication is to prove that a Digital Identity is authentic and may be trusted for a given use. All discussions of the ability to forge or spoof a Digital Identity are really discussions of the authentication "strength" of a particular Digital Identity scheme.

In the simplest Digital Identity example above (ID and password), the Identity would "prove" that it was really the specified ID by presenting the password. This simplest of all Digital Identities is said to employ "single factor" authentication. Single factor authentication requires a Digital Identity to present a single "shared secret" such as a password as proof of its validity.

Single factor authentication is not very secure, because you really can't be certain that a remote authentication by a single factor is the identity you think it is. Why? Because it is easy to steal or guess a password, and you have no other way to prove the identity is who or what you think it is. Multi-factor authentication increases the number of authentication credentials an Identity has to present to prove itself, and can even have the Identity present things it doesn't necessarily know but has been given in some encrypted form by a third party. An example would be a logon system that requires you to have a hardware plug-in device along with a password (a two factor authentication scheme). This is often referred to as "something you have" (the hardware key) and "something you know" (the password). This is much more secure than just the password, since if someone steals the hardware key, they won't likely have the password too, and without the key the password they might steal will do them no good. If you add Biometrics (such as fingerprints, retina scans, etc.) then one or more of the authentication factors can even become "something you are."

Authentication schemes will be getting a lot of discussion in the near term until standards for various proven and accepted methods are universally adopted. Technologies such as Public Key Infrastructure (PKI) and other methods (which make sure that neither end knows everything the other end of the transaction knows, but can still find a way to "prove" identities through such trusted third party transactions as Digital Certificates) are part of the authentication portion of a Digital Identity. As complex as these discussions get, however, remember that the authentication portion of a Digital ID exists solely to allow a Digital ID to prove who it is to the level of trust required by the transaction involved, with an acceptably low risk of forgery.

In the real world we have many methods of identity authentication that we have become fully comfortable with. We use letters of introduction to vouch for our credentials and capability, we use a Notary Public to vouch that it was really us who signed a document, we present credentials such as a Driver's License, Passport, or Credit Card to prove we are who we say we are, etc. As the Digital Identity evolves, there will become analogs for each of these types of identity authentication and credential authentication transactions.

Since Digital Identities will engage in distributed networked transactions, it is likely that all of the attributes of a given Digital Identity will not reside in the same location, but rather will be distributed in many places. The authentication process must thus evolve to allow a distributed Digital Identity to be securely gathered in real time and present the components necessary for a given transaction, while protecting those components not required in the transaction from being revealed inadvertently. While these methods may become complex, they always have the same single purpose - authentication.

Authorization/Access Control

Once the communicating Digital Identities have been authenticated, the next operational level is Authorization or Access Control. Here authorization (granting permission for each Identity to access certain items or systems) occurs. The technology of how authorization and access control is done varies, from passing credentials that a Digital Identity can then "carry" to various systems and present, to directly opening circuits to allow the identity selective access. Often the gaining or allowing of access is the entire use of a Digital Identity in a transaction, such as a user logon to a web site. In other cases access control may enable or restrict access to confidential information or allow access to a fee-based product or service. Access control can be technologically complex, but it is usually very easy to understand conceptually.

Confidentiality

Confidentiality is the ability to know that an unauthorized party cannot usefully intercept data you are transmitting or receiving. This level of security is enabled through encryption, but it is the Digital Identities that will carry the necessary credentials to enable confidentiality through encryption.

Data Integrity

Along with being sure that no one eavesdrops on the data being exchanged, it may be important to know that no one has tampered with the data during transmission. That is, you want to be sure the document you receive is the same as the document sent by the other Digital Identity and hasn't been altered or tampered with. This is accomplished with Digital Signatures and a special kind of encryption known as public/private key encryption. The technology that allows this uses Digital Certificates (Word .doc) issued by a third party which both of the Digital Identities have agreed to trust. This technology is known as Public Key Infrastructure, or PKI. Again, the Digital Identities must engage in transactions with credentials they carry to allow this type of proof of data integrity to occur.

Proof of Source

If Digital Identities carry Digital Signature credentials with them they can engage in specific encryption transactions that allow them to encode data they send with their signature in a way that proves they sent the data. This is a highly related capability to Data Integrity above and also uses PKI encryption techniques, but for a different purpose. It proves that a specific Digital Identity signed and sent the specific data.

Non-Repudiation

Another capability PKI brings to transactions between Digital Identities is the ability to use the PKI public and private keys of both Digital Identities in a special way that proves a given Digital Identity sent the data only to another specific Digital Identity. This information provides proof that a specific transaction was entered into between two specific parties, and those parties cannot later deny that the transaction occurred between them. This is only one portion of a legal liability proof, but it is an important one, much like having a witness to a transaction where the parties are both present.

Reputation

Because Digital Signature techniques allow Digital Identities to engage in transactions where both identities are reliably known and can transport data that cannot be tampered with without having it show, it becomes possible for a Digital Identity to build a reputation from its interactions with other Digital Identities. This allows very complex interactions between Digital Identities that can grow to mimic every transaction we have as humans between each other individually or in groups.

Control

This is one of the most sensitive aspects of the Digital Identity, namely who gets to control the information a Digital Identity builds up and leaves behind with other Digital Identities? The answer to this is NOT going to be technological as technology could implement any control structure that a population insisted upon. Rather this will in the end be a political decision, and it is part of the ongoing saga of the development of the Digital ID. It is, however, an aspect of any particular Digital Identity technology that you should examine to see what effects the adoption of that system might have on a population over time. With each Digital Identity technology, control will end up somewhere, even if by default.

Summary

A Digital Identity allows transactions in which the parties are separated in time and space while retaining the ability of these transactions to contain all of the human identity based attributes that transactions between people have always had. This will require the Digital Identity to grow very robust as it gains all of the conditional presentation and control that human identity interactions have. The ability to have third party transactions such as power of attorney, agency, and others handled through Digital Identity are just some of the types of attributes that the Digital Identity will grow to have.

Purpose

A technical discussion of the details of how a Digital Identity operates is not complete without setting the context of why a Digital Identity is needed. In other words, what is the general problem that shows up repeatedly in distributed multi-party electronic transactions that the Digital Identity is meant to solve? Answering this question requires a bit of background.

Many years ago human beings lived in small communities where everyone knew everyone else. In such a setting, when two people met to do a business or social transaction a lot of context was immediately present. You each knew in general with whom you were dealing before the transaction began. Questions such as "can I trust this person for this transaction?" could be quickly and easily handled because of this extensive contextual background. Because transactions were mostly done face-to-face, the context was always readily at hand. In the rare case when a person moved from one city to another, they would carry a letter of introduction (from a person in city A who knew a person in city B) that leveraged the third party relationship to establish the relocated person's reputational context in the new city. In that setting most types of business and social transactions were easy for people to enter into, and were easy for business people to judge risk assessment and other factors within. In today's networked and distributed world, however, this context is rarely available.

This human context must be restored to the impersonal, distributed, networked communications world where transactions arise ad hoc. Often one or more of the parties to such transactions is an automated computerized system that has to operate on a set of rules that require certain identity information, the release of which must be negotiated with its owner. Accomplishing this very personal task in an inherently impersonal setting is the purpose of the Digital Identity.

A Digital Identity that is quite simple can still have great value in many types of transactions. But to fully release the usability and power of the networked advantages inherent in today's communications technology, the Digital Identity will be called on to become an ever more fully integrated, robust and accurate reflection of human identities. It will have to become capable of handling certain types of inherently fuzzy concepts like "how much can I trust this identity?" which in turn will bear on reputation and credentials, etc. A Digital Identity will grow to consist of many parts, authenticated to varying degrees of certainty through a variety of methods. It must become able to present a portion of itself while securely concealing other portions of itself that are not pertinent to the transaction at hand. It will change over time based on behavior and experience just as human beings do. The concept of Digital Identity will evolve to include the capability to express all of the various human identity interactions, driven by economic, political and social factors along the way.

Digital Identity will provide new tools, but it will not change the fundamental aspects of what identity is. Rather Digital Identity will return the ease of use and trustworthiness of identity-based transactions that existed when interactions were done face-to-face with parties that already knew each other (or both knew a third party) while maintaining the security and accountability for the transaction. In short, the Digital Identity will reflect the human identity and allow its interactions to be fully integrated into a networked distributed communications system where people never meet face-to-face.

Only with a robust Digital Identity can the true power of distributed, peer-to-peer networking technology and applications be released.

 

About the author: Phil Becker founded eSoft, which created TBBS/TDBS, and co-created BBSCON (now ISPCON). He is currently the editor of DigitalIDWorld.com, where this article originally appeared.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o MIT white paper on the subject
o Public Key Infrastructure
o Digital Signatures
o Digital Certificates
o DigitalIDW orld.com
o Also by philb


Display: Sort:
What is Digital Identity? | 78 comments (72 topical, 6 editorial, 0 hidden)
Will it really? (3.71 / 7) (#2)
by seebs on Thu Apr 11, 2002 at 02:53:40 AM EST

You say digital identity will restore trust. Will it really?

Staring at the fifth or sixth company with a TRUSTe logo that's spammed me or changed my preferences without permission, I'm thinking this is gonna be a long, uphill, climb if it happens at all.


Damn TRUSTe (4.75 / 4) (#6)
by rusty on Thu Apr 11, 2002 at 03:13:01 AM EST

I have made my feelings about TRUSTe clear in the past, but this is pretty relevant. One of the things I will require in any kind of scheme for digital id that someone wants me to buy into is absolute control of my personal information. That is, enough with bullshit "privacy policies," I want teeth. I want to be able to say exactly who gets exactly what information about me, and exactly what they're allowed to do with it, in a binding way.

You can bet that if the industry alone is allowed to decide what the digital id future looks like, we'll end up with lots of TRUSTe's. Pretty logos with no meaning.

____
Not the real rusty
[ Parent ]

Capability, not identity (4.50 / 2) (#25)
by dennis on Thu Apr 11, 2002 at 10:06:39 AM EST

Which is why I think we shouldn't rely on a single universal ID. Instead we should be able to give vendors certificates for particular capabilities. Eg., instead of a driver's license with your identity, you have a certificate that says "the holder of this cert is allowed to drive."

As long as you're giving the same universal ID to everyone, the temptation to use that ID as the primary key in a giant consolidated database will be irresistable. If you use that ID only to get anonymous certificates with limited information, you have some hope of maintaining reasonable privacy.

[ Parent ]

Transitive capability (none / 0) (#32)
by JoshKnorr on Thu Apr 11, 2002 at 10:50:26 AM EST

Eg., instead of a driver's license with your identity, you have a certificate that says "the holder of this cert is allowed to drive." How, then, does a person verify that you are the person this certificate was issued for? If you're carrying the Universal ID that was used to "sign" the capability certificate, then we're right back to the problem of having a lucrative single target for identity theft. The answer, I think, is biometrics. Your driver's license is signed by a key derived from a fingerprint or retinal scan. A cop who wants to verify your driver's license reconciles the signature on the license with a fingerprint scan taken at the scene. The central DMV database, then, uses as its primary key the signatures mentioned above. The problem this poses, then, is that the DMV database can never be coupled with any other database in a meaningful way because an individual's record in each database shares no data in common. The records could be matched by redoing the biometric authentication and comparing sigs - but that is time intensive, manual, and unsuitable for any kind of automated process. For some, this is a bug. For others, a feature. I think that on balance, society considers it a bug.

[ Parent ]
Biometrics (none / 0) (#37)
by dennis on Thu Apr 11, 2002 at 12:09:47 PM EST

I really meant the driver's license as an analogy. On the Internet, sure, you have the problem "how do you know the person with the capability cert is the right person." But you have the same problem with digital identities - no way to know if the person offering the identity cert is the right person.

I'm not sure what you mean by the DMV database not sharing data with others, tell me if this is right: Each different database could use a different one-way function on biometric data. They can't reverse the function to get the original data, so you can't match hashed data between databases.

This might be hard to implement, since a good cryptographic hash changes completely when one bit of the input changes. Kinda difficult when your key is an analog input. But if you could make a biometric detector that is guaranteed to always return the same bits for the same person, it would be a pretty cool way to do things!

[ Parent ]

I don't know.. (5.00 / 5) (#51)
by rcs on Thu Apr 11, 2002 at 03:16:50 PM EST

I don't know exactly what angle you're looking at for this, but the math is here. Math's been here for 17 years now.

David Chaum, with a paper in EuroCrypt '85, "Showing credentials without identification. Signatures transferred between unconditionally unlinkable pseudonyms". It's a way of showing credentials without showing all of them, or showing them without the "is-a-person" credential, the silliest of them all. Which, incidentally, I hope these articles eventually touch on.

But as I'm sure we're all aware, society lags behind technology. Happens to be a bad thing in this case.

--
I've always felt that there was something sensual about a beautiful mathematical idea.
~Gregory Chaitin
[ Parent ]
Technical and legal means (4.50 / 2) (#55)
by Eimi on Thu Apr 11, 2002 at 04:04:23 PM EST

The problem is, there's no technical way to control how someone else uses information. Once the company has your email address (for instance) there is no way at all for you to allow them to send a message confirming your identity but prevent them from selling it to spammers.

That said, there could be a legal recourse. Imagine a company called something like TOOTHe (TRUSTe with teeth). They enter into a contract with various sites whereby the sites pay them a fixed monthly amount and get to display the TOOTHe logo, but where the sites also adhere to a privacy policy set by TOOTHe. (In my mind TOOTHe has maybe just one, maybe a few policies, but they're all boilerplate. You don't have to read one each time. All "TOOTHe Gold Members" have the same policy.) If the site breaks the policy, they're in violation of the contract, and liable for real damages (alternately, the contract could provide an escape clause: maintain the privacy or you owe us $n million). Now TOOTHe is in the position to want to prove that sites are violating their policies, so a TOOTHe member in good standing certification really means something. To be best, there should be a way for private individuals to register with TOOTHe to get part of the windfall on any broken policy (though the details of getting that to work escape me). A TRUSTe mark is less than worthless, but a "TOOTHe Gold: Your privacy guaranteed or you get $100" would have some bite to it.

Just an idea.

[ Parent ]

Yeah (5.00 / 1) (#57)
by rusty on Thu Apr 11, 2002 at 04:35:42 PM EST

That is the kind of thng I'd like to see. My problem with TRUSTe is that it provides the impression of privacy protection, while not actually providing any protection. It would be better if people just believed they had no privacy at all. Something like TOOTHe is what TRUSTe should have been to begin with. Underwriters Labs would be a good model to look at for how to operate this as a company.

____
Not the real rusty
[ Parent ]
too many words, no solution proposed. (2.14 / 7) (#3)
by johwsun on Thu Apr 11, 2002 at 02:55:01 AM EST

I am technician, not a philologist.
Can you tell us what is the proposed solution in order to solve the fake acounts problem?
We all know the problem, but nobody knows a perfect solution.
Do you have one? Can you explain it to us?

thank you
(+1 fp)


It's just an introduction (3.50 / 2) (#12)
by anno1602 on Thu Apr 11, 2002 at 03:53:33 AM EST

I think the purpose of this is to introduce the K5 community to Digital IDs, their uses, purposes, the problems they address and the challenges they face, thus giving us the background that is a prerequisite (sp?) for relevant discussion about the toopc. Solutions are for another time and a lot more articles.
--
"Where you stand on an issue depends on where you sit." - Murphy
[ Parent ]
if you have a solution... (1.33 / 3) (#20)
by johwsun on Thu Apr 11, 2002 at 08:01:58 AM EST

..GIVE IT TO US NOW, the community needs it desperately. The community may pay for a solution. I could pay 2$ for that ;-)

If you DONT have a solution, but you want the community to give you one, then fine.

If you HAVE A HINT to a solution, and you want the hint to be discussed by us in order to find the solution together, fine again!

If we are lucky to find the solution, I hope you will not claim that the solution is yours and sell it to us..

thats all I have to say for the moment.


[ Parent ]
Solving the fake accounts problem (none / 0) (#42)
by pb on Thu Apr 11, 2002 at 12:38:40 PM EST

Don't make it easy for people to create an account.

The first step--verification of your IRL identity during the creation of your digital identity--is what will solve the 'fake accounts problem'. And of course you'll have to make that digital identiy absolutely secure for it to be useful. Otherwise, your 'fake account' is just the theft of someone else's account.

And yes, if you can fake an IRL identity, then you probably earned your fake account. Good job looking up / forging the birth certificate. :)
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]
who cares? (none / 0) (#59)
by CodeWright on Thu Apr 11, 2002 at 06:17:51 PM EST

who cares if an account/persona/identity is fake if it consistently honors all commitments?

in other words, if "l33tH4x0R666" is a persona shared and maintained by a bunch of pimply teenagers, if they cause the persona "l33tH4x0R666" to enter into financial transactions and honor them, what does it matter that the persona does not have a biometric 1-to-1 correlation to a meatspace entity?

the important requirement for an identity/persona is accountability (contractual obligation and reputation capital), not piercing the veil of pseudonymity.

--
"Humanity's combination of reckless stupidity and disrespect for the mistakes of others is, I think, what makes us great." --Parent ]
the important requirement for an identity is... (none / 0) (#67)
by johwsun on Fri Apr 12, 2002 at 02:20:29 AM EST

the important requirement for an identity/persona is accountability .

the important requirement for an identity/persona is voting. Accountability, contractual obligation and reputation capital comes next.

[ Parent ]

well... (none / 0) (#70)
by pb on Fri Apr 12, 2002 at 09:22:20 AM EST

Then your 'digital identity' wouldn't be a person.

In a larger framework, perhaps you could register it as a 'corporation', or some other entity, but you couldn't vote, as has already been mentioned, or get a driver's license... Maybe you could have a corporate car though. :)

I suppose you could use this sort of account for artificial intelligences too, since by the time we have this authentication system working, they'll probably be the ones running the show. ;)
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]
What is digital identity? A thought experiment: (2.41 / 12) (#5)
by mewse on Thu Apr 11, 2002 at 03:05:19 AM EST

Let us call this the "Sinbad's Digital Cookie" thought experiment.

Sinbad is, of course, a famous web surfer. And with him on his travels across the net is his 1024-bit cookie, which is recognizable to one and all of the sites to which he travels.

Thought Experiment #1: Imagine that after using this cookie for several years, Sinbad discovers that a few of his cookie's bits have become corrupted. If he removes those few bits and replaces them with new, identical bits, is his cookie the same cookie? Be prepared to justify your answer.

Thought Experiment #2: Imagine that over the course of a decade, Sinbad replaces, as discussed above, every bit in his cookie, eventually posessing a cookie that's identical to the original one, but with none of the original bits still present within its structure. Is his cookie still the same cookie? Be prepared to justify your answer.

Thought Experiment #3: Imagine that as Sinbad replaces the old, worn-out bits, that some other web surfer, perhaps poorer and with less of a reputation, takes those worn-out bits and assebles them back into the same form and shape as Sinbad's original cookie. Which of the two is now the original cookie; the one which has had the bits replaced, or the original bits that have been reassembled?

Please compose short essays explaining your answers and read chapters 3-7 in your digital philosophy books for next week. Class dismissed.

mewse



Information (3.33 / 3) (#13)
by xriso on Thu Apr 11, 2002 at 03:57:47 AM EST

There is no original usually because the OS has already copied it it around on the file-system while deleting the original. And when Sinbad sends his key, he is not sending an original, but a copy. Even if there were an original, it does not matter one bit (sic) Bits are created and destroyed, not moved. If somebody gets a hold of your key, well too bad. I suggest that you avoid it. It's like somebody else getting your password. They can just as easily access things as you.
--
*** Quits: xriso:#kuro5hin (Forever)
[ Parent ]
Parent is a philosophy joke (5.00 / 1) (#68)
by keenan on Fri Apr 12, 2002 at 02:38:45 AM EST

I'm surprised with the very low ratings received by the parent message -- it is a joke referring to the concept of identity as studied in philosophy. If you took every reference to cookies and replaced it with cells of the body/brain, it could be taken straight out of an introductory philosophy course.

Keenan

[ Parent ]
Ha (none / 0) (#69)
by rusty on Fri Apr 12, 2002 at 02:41:43 AM EST

Crap. I totally didn't get it. I feel dumb.

Rusty goes back to quietly change his rating...

____
Not the real rusty
[ Parent ]

One of the biggest problems is adoption (4.54 / 11) (#7)
by Delirium on Thu Apr 11, 2002 at 03:13:56 AM EST

There are of course theoretical and practical problems with even the best methods (PKI in particular), but what I see as an even bigger problem is that the methods currently being widely used aren't even among the better ones. The biggest place I see this problem is where it's potentially most damaging -- in online banking and credit card services. A lot of credit card "authentication" is done solely on the basis of credit card number and expiration date -- the single factor authentication you speak of, and in this case not even a good secret factor, because it's a "secret" which many merchants, cashiers, eCommerce site programmers, and other people might have access to. Even more disturbing is the heavy reliance on social security numbers, driver's license numbers, and mothers' maiden names as authentication for more critical services at financial and other institutions -- they're now being used so frequently that these are essentially open secrets; far too many people potentially know them.

So how do we convince the banks and others to use a better method of authentication? Even a switch to a secure single-factor authentication would be a step up -- if at the time I opened my account I had to pick a standard 8-character password to use for for access to my account, it'd be far more secure than allowing me to access it just by typing in my social security number. Even better would be the use of some sort of "real" method of authentication, but if they're not even using simple passwords, what are the chances they'll implement a robust PKI system?

Practical security (5.00 / 7) (#19)
by dark on Thu Apr 11, 2002 at 06:13:34 AM EST

Hmm... I can't speak for the masses, but I know that the low security is something I like about current identity systems. I would want a system to be either:

  • a) Completely secure, or
  • b) Easily deniable

    At the moment, we can't have a, so I'll go for b.

    Everyone knows that the credit card system isn't secure. That's why there's an administrative system in place for disputing charges. Similarly, everyone knows that current online login systems are insecure. That's why if something goes wrong and someone impersonates me, I can deny that it was me and be believed.

    When security goes up, the risk increases with it, because identity theft, once accomplished, becomes more credible and more valuable. It also becomes more difficult, but that difficulty depends on how powerful your enemies are. I don't worry about the average net.kook getting my GPG key, but I assume that a government agency or large corporation can do it if they want.

    I would be reluctant to move to a system that is good enough to be widely trusted, but is still vulnerable to a determined impersonator. That would be the worst of both worlds.



    [ Parent ]
  • Add your own higher authentication (3.00 / 2) (#29)
    by sfischer on Thu Apr 11, 2002 at 10:23:24 AM EST

    Every one of my credit cards has the words "Please see identification" in place of my signature. This adds a second level of authentication as I demand that they at least look at my license to verify that the name and picture matches. There are things we can do.

    -swf

    [ Parent ]

    How often do they ask? (4.00 / 1) (#33)
    by nosilA on Thu Apr 11, 2002 at 11:01:51 AM EST

    Personally I just have a signature, but a friend of mine has See ID written on his, and they almost never ask him. I'm just curious if this actually works.

    -Alison
    Vote to Abstain!
    [ Parent ]
    Not often (3.00 / 1) (#35)
    by Cro Magnon on Thu Apr 11, 2002 at 12:03:21 PM EST

    My own credit card is unsigned. Only one place ever asked for my ID, and it didn't the last few times.
    Information wants to be beer.
    [ Parent ]
    More than half ask (3.00 / 1) (#39)
    by sfischer on Thu Apr 11, 2002 at 12:24:21 PM EST

    I've seen over the past year or so that more than half of the time I'm asked.

    On the flip side, if they don't ask, I make a point to show them that they should.

    -swf

    [ Parent ]

    Haven't you (2.50 / 2) (#36)
    by linca on Thu Apr 11, 2002 at 12:04:02 PM EST

    Americans have PIN codes on their credit cards? Credit can can be quite secure, you know.

    [ Parent ]
    Credit /cards/ can be secure. Duh. (none / 0) (#43)
    by linca on Thu Apr 11, 2002 at 01:04:29 PM EST



    [ Parent ]
    No (none / 0) (#46)
    by Delirium on Thu Apr 11, 2002 at 02:56:38 PM EST

    Credit cards have no PIN numbers in the U.S. Debit cards do, but they're generally only necessary at ATMs, not when purchasing items at stores.

    And for online purchases PINs are pretty crappy security anyway. Most companies I know of us 4-digit PINs, and it'd be pretty trivial to guess that, especially since most people use some of the more-memorable 4-digit combinations.

    [ Parent ]

    Good patents :) (2.50 / 2) (#49)
    by linca on Thu Apr 11, 2002 at 03:10:39 PM EST

    Well to make a long story short, a French guy has invented the concept of smart cards - in 1976. He patented it in order to apply that concept to credit cards : You can't use one at a store without entering a 4 digit PIN, which some machine recognise in an unbreakable maneer. Of course, that PIN, not to use for "online purposes" but for day-to-day shopping. can hardly be "guessed", since typing the wrong code a few time in a row will raise eyebrows.

    So finally we in France are about 20 years ahead of the US technologically ; One doesn't have to worry that much about credit card theft (except recently for online purposes... ;/)

    That was my jingoistic chauvinist talk of the day.

    [ Parent ]
    hehe (5.00 / 2) (#50)
    by Delirium on Thu Apr 11, 2002 at 03:15:45 PM EST

    Well in the U.S. we mostly don't care because of laws that make you not liable for credit card fraud. If my card is stolen, I'm only liable for a maximum of $50 in charges (even if my credit limit is several thousand dollars) -- the credit card company is responsible for the rest (this also gives them incentive to try to get the stolen money back). And if I report a theft of my card, I'm not responsible for any charges made after the minute I report it. And furthermore I'm not liable for any charges at all that were made without my actual signature (i.e. online or phone purchases). So in most cases losing your credit card is essentially free; the CC companies absorb the cost.

    [ Parent ]
    Cost and France (5.00 / 1) (#52)
    by rusty on Thu Apr 11, 2002 at 03:25:29 PM EST

    So in most cases losing your credit card is essentially free; the CC companies absorb the cost.

    Actually, the merchants end up absorbing the cost, as you'd expect. The CC companies just take the goodwill for it. :-/

    Incidentally, I went to France in 1993, before anyone here had heard of debit cards, and it was already all anyone used. Supermarkets, department stores, etc, everyone just swiped their card at the now-ubiquitous little card terminal. At the time, it astonished me, and it took the US nearly five years to get anywhere close to that point.

    ____
    Not the real rusty
    [ Parent ]

    I don't like debit cards (5.00 / 1) (#53)
    by Delirium on Thu Apr 11, 2002 at 03:31:10 PM EST

    Actually, the merchants end up absorbing the cost, as you'd expect. The CC companies just take the goodwill for it. :-/
    Well online merchants do. The Real Stores generally still require signatures, so the CC company is liable for fraud that occurs there. Big places like Best Buy even have you sign on a little computer touch-screen with a stylus so they have your signature on file for quick retrieval to prove they really did ask for it (rather than having to deal with filing billions of little pieces of paper).
    Incidentally, I went to France in 1993, before anyone here had heard of debit cards, and it was already all anyone used. Supermarkets, department stores, etc, everyone just swiped their card at the now-ubiquitous little card terminal. At the time, it astonished me, and it took the US nearly five years to get anywhere close to that point.
    Hrm. I don't like debit cards at all, and still only use mine as an ATM card. It's far too much trust in the security of the card -- with a CC if it gets stolen I'm not out anything. With a debit card if it gets stolen (with my PIN) I'm out all the money in my account, which depending on how many accounts I have and how much money was in that one could be quite painful. Even if somehow I get it back eventually, I'm still out the money until the end of the investigation. Same with disputed charges even when it's not stolen -- if say I take a group out to dinner, get a $200 restaurant bill, and the restaurant charges my card twice on the CC, I just call up Visa and tell them I'm not paying the second one. At worst they'll reduce my credit limit by that amount pending the outcome of the investigation, but I never have to actually pay it (unless of course it turns out it was a valid charge and my complaint was unfounded). With a debit card I'm out the $200 until the bank decides to give me my money back. This also gives them less incentive to actually do anything about it in a timely fashion, since it's my money they're trying to get back, not theirs.

    [ Parent ]
    True, but (5.00 / 1) (#54)
    by rusty on Thu Apr 11, 2002 at 03:42:57 PM EST

    This is true. However, I haven't yet heard anyone tell me a horror story about their debit card and PIN being stolen and losing all their money. Don't some debit cards also have anti-fraud protections similar to credit cards?

    ____
    Not the real rusty
    [ Parent ]
    yeah (none / 0) (#56)
    by Delirium on Thu Apr 11, 2002 at 04:08:54 PM EST

    Depends on the bank and branding. My debit card, for example, is a "Visa Check Card" (the primary purpose of this being that I can use it as a credit card at places that don't have debit card facilities set up). Visa gives it the same anti-fraud protections as its normal credit cards, so you should be able to get your money back eventually. Different banks also have individual policies, some better than others.

    In general the main disadvantage I see there isn't so much your actual technical protections, but your leverage. With a credit card they have an incentive to address your complaints and get the issue resolved because you don't have to pay them the disputed amount until they do. With a debit card you'll likely have to keep calling them back and bugging them until they actually do something about it, because it's your money that's in question, not theirs.

    [ Parent ]

    Does anybody see the problem here? (5.00 / 1) (#74)
    by dark on Fri Apr 12, 2002 at 01:27:55 PM EST

    Big places like Best Buy even have you sign on a little computer touch-screen with a stylus so they have your signature on file for quick retrieval to prove they really did ask for it (rather than having to deal with filing billions of little pieces of paper).
    This also makes it really easy for them to duplicate your signature. A touch-screen can detect the speed and pressure you use when writing your signature, so it allows much better forgeries than simply scanning a paper copy.

    I've never encountered such a system myself. I think I would refuse to sign on a touch-screen.



    [ Parent ]
    Not to worry (5.00 / 1) (#76)
    by Adam Tarr on Sat Apr 13, 2002 at 01:44:03 PM EST

    Big places like Best Buy even have you sign on a little computer touch-screen with a stylus so they have your signature on file for quick retrieval to prove they really did ask for it (rather than having to deal with filing billions of little pieces of paper).
    This also makes it really easy for them to duplicate your signature. A touch-screen can detect the speed and pressure you use when writing your signature, so it allows much better forgeries than simply scanning a paper copy.
    While in theory a touch-screen could detect these things, the touch-screens that places like Best Buy use are far to primitive to do so... they just pixelate what you write and save it. Furthermore, most people (myself included) are so unaccustomed to the stylus that they botch their signature pretty badly.

    If someone wanted to forge your signature, they'd be better off scanning a paper receipt than printing your touch-screen signature.

    -Adam

    [ Parent ]

    Let me try to sum this up (3.70 / 10) (#8)
    by onyxruby on Thu Apr 11, 2002 at 03:14:40 AM EST

    Let me see if I have this straight. A digital identity is effectively a combination of slashdot's karma, ebay's feedback, microsoft's passport, a little public/private key encryption, along with a possibility of some biometric verification processes' to boot. Did I get this right? Whilst I think there is certainly a market for this (passport competitor come's to mind), I think there need's to be some concerns addressed.

  • Who watches the trusted parties (ISPCON) to make sure they don't abuse some very sensitive data?
  • What is the standard for reporting successful crack attempts into the system? If a cracker gets in, who do I hear about it from first, the register or ISPCON?
  • What will prevent abuse of the system such as has become rampant on slashdot (over 500 people lost moderating privelages for rating a non-troll comment up that Hemos didn't like)?
  • How will I know that someone is using additional layers of security? While public key/private key works well for some things, it can't tell me that the person on the other end has also passed a biometric test.
  • Will this data be turned into (or available as) a smart card such as they have in Europe? Could such a smart card be used at a desktop level with hardware? Could such a card be used as a multi-card credit card storing the relevant information for each?
  • You state
    The technology that allows this uses Digital Certificates (Word .doc) issued by a third party which both of the Digital Identities have agreed to trust.
    What choices would be available for third party certification verification? I for one don't trust verisign, and I know I am not alone there.
  • Privacy policy, etched in stone that my information will not be sold, transferred, rented, shared or even looked at sideways with any third party or affiliated organization, and I would seriously consider using this service.
  • This sounds like a passport competitor, is this going to co-exist with programs that companies like SUN are developing? Would a partnership along those lines be in the works?
  • Can you garuantee that this service will not be bought by AOL or Microsoft?
  • How will this work with international warrants and government information service requests? Whose rules (nations) would this go by?

    The moon is covered with the results of astronomical odds.

  • Erm (4.00 / 1) (#9)
    by rusty on Thu Apr 11, 2002 at 03:25:33 AM EST

    I don't think you have it quite straight. This isn't a description of a service, it's an overview of a field. Like, say you were to write an article about "Peer to peer." It would end up covering a lot of things that all live in the same niche, but don't all operate at the same time. That's the idea here.

    ____
    Not the real rusty
    [ Parent ]
    Confused (4.00 / 2) (#11)
    by onyxruby on Thu Apr 11, 2002 at 03:42:08 AM EST

    I think I am officially confused then. It sounds a lot like a passport type thing to me, but you say it isn't that. I can understand writing a paper about why they think a digital identity is important. I'll freely accept the argument that this can be a good idea, and could be a very useful service. However since it sounds like I am way off base on this, what exactly are they wanting to do?

    The moon is covered with the results of astronomical odds.
    [ Parent ]

    Describe the problem (3.00 / 1) (#14)
    by rusty on Thu Apr 11, 2002 at 03:57:59 AM EST

    This is basically just a description of the issues involved in what we're calling "digital identity." Passport is a digital identity service, you're right, so some of this does describe things like what passport does. This, though, is just an overview of the problems involved and the field, and some of the major solutions. It's not about doing anything in particular. It's just a whitepaper about digital identity as a general problem.

    Did you see this?

    ____
    Not the real rusty
    [ Parent ]

    not entirely without value (none / 0) (#21)
    by iGrrrl on Thu Apr 11, 2002 at 08:32:43 AM EST

    It's just a whitepaper about digital identity as a general problem.

    Then despite hir confusion, it might be worthwhile to treat onyxruby's concerns as a very rough draft whitepaper of the consumers' interests. Although inappropriately pointed, some of the concerns expressed should be prominent in the debate, imo, particularly the issues of privacy and "who watches the watchers".

    --
    You cannot have a reasonable conversation with someone who regards other people as toys to be played with. localroger
    remove apostrophe for email.
    [ Parent ]

    Yes (5.00 / 1) (#47)
    by rusty on Thu Apr 11, 2002 at 03:07:11 PM EST

    Sorry, I didn't mean to imply that the original comment wasn't important. I was just trying to clear up the focus of it. But you're right, those are all very much concerns that we (the presumed customers) are going to have about this stuff.

    ____
    Not the real rusty
    [ Parent ]
    Background (3.00 / 4) (#15)
    by cameldrv on Thu Apr 11, 2002 at 04:10:02 AM EST

    It's interesting to see an an old-timer with a new project. What have you been working on since the ipad isp in a box thing?

    People to people.. (4.87 / 8) (#18)
    by alfadir on Thu Apr 11, 2002 at 06:10:08 AM EST

    Granted that this is an overview over the Digital Identity problems I am not sure I would like a corporate solution to these problems. You say in the Controll section that : The answer to this is NOT going to be technological as technology could implement any control structure that a population insisted upon.

    I imagine that the maket for this technolgical solution is very big. What is the projected value of this market ? Just supplying the technology and leaving the hard decisions to the politicians. Already you hear about different companies like Oracle and also biometric companies compeating about "marketshares" by proposing different technical solutions. This has been even more visible after the start of the war on terror.

    The alternative would be standards worked on by university institutions (all over the world) or other "free" bodies, why not the UN (ok, maybe not the UN:s job but just one example). The technology and the implementation owned by the people, the exact implementation may differ between states but would be operate over the world. There will still be room for the corporate world to make a buck in implementation..

    One of the problems is that the level of information needed for a transaction. In the current online systems one can find that some system requires a very high degree of information for a low degree transaction. What levels of trust are needed to post on a forum ? To buy a book ? To buy a car ? over the network. In a real life situation I don't give my adress to the people I ask a question, while I give my bankaccount information to the car reseller. As the MIT article sais this is Ultimately, it is up to the judgment of legislators to determine when the government should step in and regulate the type of information a business is permitted to collect.

    Another problem is the identity of the other side in a buissness transaction. Even if you do buissness with a big company you have a salesperson that you are in personal contact with. If the transaction now move online you would do buissness with a corporate ID, not a person. Sure, often the personal connection is not needed, but it can have some advantages.

    The article is well written and after explaining the problems, it is hard to discuss them on a technical level as to What is missing ?.

    I must admit (3.83 / 6) (#22)
    by tombuck on Thu Apr 11, 2002 at 08:47:09 AM EST

    That I'd rather have "digital anonymity" than digital identity. The former's more important to me, and I'd prefer to see investment in that before we move on to the DID phase.

    Saying that, though, UKian councils are testing online voting and voting via your mobile phone. I'll be interested to see how things fare up, vote-rigging-wise.

    --
    Give me yer cash!

    don't you mean (5.00 / 1) (#60)
    by CodeWright on Thu Apr 11, 2002 at 06:24:34 PM EST

    "digital pseudonymity" rather than "digital anonymity"?

    --
    "Humanity's combination of reckless stupidity and disrespect for the mistakes of others is, I think, what makes us great." --Parent ]
    small town trust, small town gossip (4.75 / 16) (#23)
    by iGrrrl on Thu Apr 11, 2002 at 09:38:55 AM EST

    Ultimately Digital Identity will become as complex and flexible in use as a real-world human identity.
    I disagree. In the real world, you can be reasonably anonymous. You can walk through the mall without handing every shop your business card.

    The article later points out the attempts of digital ID to parallel the old trust systems of small community face to face interactions. It is difficult to recreate such systems, but probably also true that there is a need to do so for commercial interactions. Let me express my reason for disagreeing with the statement above by expanding on the analogy of the small community.

    In a small community there is, in truth, little privacy but what is granted. In previous eras one's private affairs were given (at least in the spoken social code if not always in practice) some measure of respect. People did gossip, of course, and fear of the shame of discovery was a strong regulator in people's behavior.

    To avoid discovery of legal but socially condemned actions or purchases, people would go to places where they were unknown. With the kind of required digital identity I detect in the coming years, will we have that opportunity? It would be like crossing town to buy a girly magazine, but announcing yourself as the preacher's son out for porno at every intersection.

    If I have two very different online presences -- legal, non-fraudulent, but potentially embarrassing -- and don't care for them to overlap, how will I accomplish this separation if specific personal authentication follows me around the net?

    The argument usually brought against such concerns is, "If you're not doing anything illegal, what do you have to hide?" My answer is this: In the face to face world, you can live a life of public rectitude with no one knowing what you do in the bedroom. If constant digital identity is required, the metaphorical bedroom door would be wedged wide open.


    --
    You cannot have a reasonable conversation with someone who regards other people as toys to be played with. localroger
    remove apostrophe for email.

    Some answers. (3.00 / 1) (#30)
    by i on Thu Apr 11, 2002 at 10:36:15 AM EST

    If I have two very different online presences -- legal, non-fraudulent, but potentially embarrassing -- and don't care for them to overlap, how will I accomplish this separation if specific personal authentication follows me around the net?

    Let's assume you have a digital ID (dID). You want to maintain an account here, and an account on some other site, and you don't want anybody to be able to figure out that both accounts belong to the same person.

    Let's have every site to possess another sort of ID, let's call that sort of ID a domain. It is possible to devise a procedure to combine, or "hash", your dID with a domain, producing a new value (let's call it a nick) such that:

    • It is impossible to reconstruct a dID from a nick, or relate two nicks from different domains.
    • It is impossible to produce two different nicks for the same domain from the same dID.
    • It is possible to verify that a given nick was produced from a valid dID for a given domain.
    This may seem like an overkill solution to a small dupe account problem, but consider what happens if one of the sites in question is a poll booth for a (real-life) presidential election.

    It is also possible to devise a slightly different procedure such that it's possible to reconstruct your dID from the nick, but only with the help of authorities that handed you your dID (you will need a court order for that I presume). This way, you can keep your semi-anonymity until you do something deemed illegal by relevant authorities. For instance, you may create a credit account and stay anonymous unless you violate credit terms somehow (e.g. fail to pay on time). Then the creditor will complain, get your identity discovered and bring charges against you.

    and we have a contradicton according to our assumptions and the factor theorem

    [ Parent ]

    big hammer, little nail. (5.00 / 2) (#34)
    by iGrrrl on Thu Apr 11, 2002 at 11:16:29 AM EST

    Let's assume you have a digital ID (dID). You want to maintain an account here, and an account on some other site, and you don't want anybody to be able to figure out that both accounts belong to the same person.
    Actually, the assumption is far more trivial than what I had in mind. It isn't just keeping different nicks on different sites separated, but keeping whole swaths of internet behavior separated.

    Say for example I teach in a school in a small town in the American South. Most of my neighbors and the parents of my students are proabably very Christian, and likely of the Southern Baptist persuasion. But what if I'm a pantheist who has found a comfortable religious home in the metaphor of Wicca? I can't look for community in my physical community, so I go on the net.

    I would have two separate and legitimate uses for Yahoo Groups alone. I could have an account that interacted with other elementary school teachers to share tips and gripes. I could have another account that belonged to a couple of Wicca groups. There are other, non-overlapping places each of these interests would take me.

    If, for example, a double check on my online purchases of school supplies turns up that I also buy from praisethemoon.com, I could suffer. Seriously suffer, to the point of losing my job.

    And all while trying to keep that bedroom door closed.

    (Remember, gang, this is a hypothetical. I live in New England and don't teach school.)

    --
    You cannot have a reasonable conversation with someone who regards other people as toys to be played with. localroger
    remove apostrophe for email.
    [ Parent ]

    Confused by the word "domain"? (none / 0) (#38)
    by i on Thu Apr 11, 2002 at 12:10:21 PM EST

    Fear not! "Domain" in what I'm talking about is not necessarily the Internet domain. It is simply a (big, specially generated) number. Any site could have any number of them. AOL could have five (I think AOL allows up to five "screen names" but I'm not sure). For each Yahoogroup, Yahoo could have one. Or ten. Or, if Yahoo doesn't care how many accounts you have, infinitely many. I'm not sure why they should care. Whether or not they can recover your real ID from any of your nicks is what matters, but this issue is completely separate.

    K5 could have one for each story in the queue, one for each comment to moderate, and one for each poll. So it would be impossible to correlate your voting behaviour in different parts of k5 while maintaining "one person, one vote" principle.

    Feels better now?

    and we have a contradicton according to our assumptions and the factor theorem

    [ Parent ]

    I feel fine. (5.00 / 1) (#44)
    by iGrrrl on Thu Apr 11, 2002 at 02:35:48 PM EST

    Oh, dear. I've just had my head patted. Yes, I got the difference between DNS domain and a domain as you meant it. But I'm just a molecular biologist, and the full implications of the new vocabulary word were not immediately obvious.

    My response was based on the idea (implicit in your use of the singular) that a site would only issue one domain, or one per dID. And why would they do otherwise? Yahoo's "free" services cost Yahoo money. If they could limit it to one per customer reliably through dID, why wouldn't they? And if the layer of security is going to cost them more, they'd be even further motivated to limit accounts. And you could no longer spoof them; your dID would be used by many sites to automagically fill in user info forms.

    So maybe, given my limited understanding, using domains to hash the dID info would work, but do we have any notion whether any sites would actually do that? I doubt it, unless they were compelled by law.

    --
    You cannot have a reasonable conversation with someone who regards other people as toys to be played with. localroger
    remove apostrophe for email.
    [ Parent ]

    I don't know. (none / 0) (#77)
    by i on Sun Apr 14, 2002 at 05:48:35 AM EST

    do we have any notion whether any sites would actually do that?

    I surely have no idea. This is social/political/financial issue, not a technical one. Presumably, customers that want multiple accounts would pressure them into implementing such a possibility, but I don't know whether the pressure would be sufficient.

    and we have a contradicton according to our assumptions and the factor theorem

    [ Parent ]

    separate the systems (none / 0) (#40)
    by pb on Thu Apr 11, 2002 at 12:30:50 PM EST

    Obviously you'd need to authenticate to the system at some point, but after that, you should be able to choose a level of anonymity.

    The easiest way to do this is to separate out the authentication from everything else, to where all a site receives is a guarantee from the authentication system that the (anonymous) user is indeed authorized. Also, you'd probably want to store your information either locally or in a very secure place.

    This would also require that all the sites you go to have a secure channel to the authentication system and that the authentication system is secure and impartial.

    I don't know how you could build a secure and distributed authentication system hosted by just anyone on the internet. The reason DNS works is by convention, but it also doesn't store any private information. I suppose you could try to use some sort of shared cryptography to ensure the security and validity of the data, but I don't know if this part of the solution is really a solved problem yet, and thus I wouldn't want to trust my personal information to it until I had some guarantees, perhaps both legal and techinical.
    ---
    "See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
    -- pwhysall
    [ Parent ]
    Who does the hashing? (5.00 / 2) (#41)
    by spcmanspiff on Thu Apr 11, 2002 at 12:32:25 PM EST

  • Me, on my computer: It would be very difficult to prevent me from using just any old dID I want, thus allowing me to vote twice in elections, etc.
  • The "domain": There is no way to prevent them from deciding to store my dID if I have to send it to them for hashing.
  • Trusted third party: No such thing, really. They could be selling nick->dID correlations under the table, for all we know.

    If there was a sufficiently tyranical scheme in place to ensure that any one person only had one dID, with a centralized signing authority etc etc, then some of the above issues could be resolved.

    Of course, that brings up the "mark of the beast" social issues, plus relies on the assumption that nobody will ever figure out how to generate an arbitrary, valid dID for themselves...



    [ Parent ]

  • The answer is: (none / 0) (#78)
    by i on Sun Apr 14, 2002 at 06:03:47 AM EST

    you, on your computer. No, you can't cheat and use a string of numbers that is not your own dID. Basically, dID is "signed" by whoever issued it. You can't create such signature by yourself. Hashing mangles your dID just so it's possible to see it was signed, but impossible to see what exactly was signed.

    The tyrannical scheme you mention is already in place in many countries, but its implementation is inadequate for the digital age. The numbers (such as SSN in the USA) can be easily stolen, forged etc.

    Yes, it is assumed that generating valid dIDs without knowing the "secret" is hard. But it's at least as hard as breaking a modern crypto scheme. Presumably, people that can do that would be busy working for their respective spy agencies, or maybe stealing billions from someone else's bank accounts. Not doing silly things like voting twice in presidential elections.

    and we have a contradicton according to our assumptions and the factor theorem

    [ Parent ]

    ZZZZZZZZZZzzzzzzzzzzz (2.30 / 13) (#24)
    by bukvich on Thu Apr 11, 2002 at 09:39:41 AM EST

    Man you sound like one of those corporate consultants my boss likes to talk to because he can't figure out how to use a computer to get anything done.

    See the New York Times style guide and get a clue how to hook a reader past a paragraph!

    Hope this helps.

    B.

    hmmm (2.80 / 5) (#26)
    by /dev/trash on Thu Apr 11, 2002 at 10:12:29 AM EST

    "...when we all knew each other and did business face-to-face, ..."

    I actually prefer doing business anonymously. less lines, I get what I want and I don't deal with a pissy clerk.

    ---
    Updated 02/20/2004
    New Site

    Not to mention (5.00 / 2) (#48)
    by Kwil on Thu Apr 11, 2002 at 03:07:15 PM EST

    The looks from the other folks in line when they see what weird shit I'm buying.

    That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


    [ Parent ]
    empty, jargon-filled article (none / 0) (#64)
    by BlueOregon on Thu Apr 11, 2002 at 10:38:18 PM EST

    "...when we all knew each other and did business face-to-face, ..."

    Bah, I say. No such time ever existed. Think of how many K5ers you 'know' well enough from their online reputation, diaries, etc. Add to that your coworkers, the people you encounter on a regular basis when shopping (checkout girls, folks at the bank, etc.), and so on and so forth. Feel free to add family and friends if you wish. That can be a pretty large 'network' of people.

    Go back to preindustrial times, and you'll see that the vast majority did not have 'networks' so large ... especially not of people they "knew" and did business with "face to face". Then take the 'industrial age' -- and one of the complaints you read about all the time is that industrialization leads to anonymity, alienation, etc. So in neither industrial nor pre-industrial societies do you find people having *large* networks of people they knew well face to face.

    That having been said, smaller networks of people who have that quality do and have existed. In any case, my point is simply that the author(s) of the article has little sense of history regarding the topic public vs. private ... which I find much more interesting than some random talk of "how do I make online transactions secure?" And it's that topic (public vs. private) that is touched upon when they do their "when we all knew each other" spiel

    Finally -- occasionally I prefer doing business anonymously -- getting what I want without dealing with pissy clerks. Usually that's because the quality of "service" in the so-called "service industries" sucks ... you know, in the industries run by people who want to help us with all our online/digital transactions.

    -SK

    [ Parent ]

    Where is the development of trust accounted for (4.71 / 7) (#27)
    by sfischer on Thu Apr 11, 2002 at 10:16:17 AM EST

    It's very easy to deal with authentication at increasing levels. If id/password pairs are insufficient, use public/private key and other higher levels of authentication.

    My question is more along the human aspects of identity and trust. In face to face interaction your identity is based on your physical appearance and your behaviour. In a digital transaction it might be possible to replace the physical appearance aspect of identity with authentication (but there are technical issues surrounding that which are certainly resolvable). How do we represent an individual's behavior in a digital world?

    Individuals develop trust through a series of transactions, each transaction expecting one party to take on potentially greater levels of risk (of that trust being violated) and with each successful transaction, a higher level of trust is established. Trust is a two part thing, clearly identifying the individual you are collaborating with and making a decision based upon past (and current) behavior on what level of trust you will establish for this transaction. Even if you trust an individual strongly, there could be an instance where that individual is behaving oddly and you might adjust your level of trust downward.

    This identification of behavior, both in the tracking of past actions and the acknowledgement of current activity, is sorely lacking from any discussion of digital identity I've seen to date. The tracking of past behavior could be accomplished with data warehousing but raises all sorts of privacy issues which I don't want to go into here. How can we identify that someone we have established a certain level of trust is currently behaving in a fashion that we would be expected to maintain that level of trust?

    Also there is the issue of currency of trust. Maybe we have trusted a person strongly but a long period of time has passed since we had any interaction with that individual. How does that affect our level of trust?

    I don't have answers. It seems that until we have a way to handle both identity and behavior that digital identity will have difficulty reaching the masses.

    -swf

    I'm surprised (4.60 / 5) (#28)
    by wiredog on Thu Apr 11, 2002 at 10:22:01 AM EST

    No one has posted this link yet. It's to Bruce Schneier's Crypto-gram. He goes into the digital id issues frequently. Read the back issues.

    Also, his book Secrets and Lies is a must read.

    Peoples Front To Reunite Gondwanaland: "Stop the Laurasian Separatist Movement!"

    Protocols to ensure Honest Suppliers (4.85 / 7) (#31)
    by buffy fan on Thu Apr 11, 2002 at 10:49:24 AM EST

    What worries me is the back end procedures - the part that we entrust the Suppliers to handle.

    I am sure that the industry would like to "self-regulate", but I don't think they can be relied on, bearing in mind the frightening amounts of money at stake. Instead, we need to have groundrules that ensure decent interoperability (which does NOT involve behaving like NetSol does with domains), backed up by enabling the consumer to vote with their feet.

    - I want to be able to change providers freely and easily if I wish, kind of like I can change bank accounts or email addresses. Easy movement to the competition helps keep competitors honest.
    I think this is vital.

    - Interoperability / Expandability. I don't have the faintest clue how to do it without the GPL, but you need a way to stop a major player from locking in the punters.

    - Transparent transaction history. I imagine some companies will be able to modify parts of my account, like the Credit Status, and I see no reason why all this log should not be freely available to me - I need to know who, how and why.

    - Multiple Accounts / Anonymity. One ring to bind them all won't work for some of the same reasons that people have more than one bank account etc. Users will want more privacy etc than one account can provide.

    - Access Control. Predefined access levels, so that others cannot get more control than is necessary. If I have to handle each request individually I will end up swamped by companies wanting contacts,birthday,shoe size etc.
    e.g. Trusted Company A gets to see my Bank details only, Family Member B can see my personal contacts only, and Weird Stalker C goes to dev/null.

    It is a shame that Hailstorm is *allegedly* getting cut back - it is the sort of Big Stick needed to make the competition play nicely and come up with a workable option.

    Perhaps the answer is to make an Open Standard of the various processes, based on University type research, rather than Corporate R&D, which would rather reinvent every last wheel and patent them all than go with something NIH.

    Hmmm, reading it all back, it looks rather Naive. I don't see big business willing to release control on this one. Just wait until the RIAA find an angle...

    Effects and Control (4.00 / 1) (#45)
    by mami on Thu Apr 11, 2002 at 02:43:32 PM EST

    Rather this will in the end be a political decision, and it is part of the ongoing saga of the development of the Digital ID. It is, however, an aspect of any particular Digital Identity technology that you should examine to see what effects the adoption of that system might have on a population over time. With each Digital Identity technology, control will end up somewhere, even if by default.

    Will you examine the effects of the adoptions of specific Digital Identity systems you might design in upcoming papers ? It would interest me most to read comments from people, who are developing the technologies and are deeply involved in it, how they evaluate the social and political aspects of the effects and control of such technologies.



    When does it matter ? (5.00 / 2) (#58)
    by redelm on Thu Apr 11, 2002 at 05:03:23 PM EST

    The technology of establishing a digital identity is already conceptually available. Certificates, public-key encryption and clearsigning are all well known. A somewhat more interesting issue is who will authenticate the keys. Usage/archive based or central authorities. Naturally, there are a number of pretenders vying for central authority function.

    But step back a bit. WHY are digital identities important? To whom? Merchants needs strong identities and are very willing to pay for them [advertising] to differentiate themselves, attract and retain customers. Their biggest issue is to keep DNS secure and their own machines tight. Customers come to them.

    Induhviduals have different concerns. Mostly, my money is my identity. So I will safeguard my CrCard numbers. Otherwise, for USENET or blog personnae, I could trust headers/sitepasswds or do clearsigning. What would I use a strong digital identity for? Closing a loan? Sorry, but even if the security system were perfect, I want the hurdle of notarized dead trees. More convenience has negative value for me here.

    Finally, I am concerned that too strong a digital identity may permit new forms of discrimination. A verfiable and disputable credit history is a fair criterion to use in judging whether to give me a loan. Whether I post to K5 is not, even if some statistician has shown that K5 posting correlates with ontime bill paying. Correlation is not causality.



    Here's why I think this is important (4.33 / 3) (#61)
    by garbanzo on Thu Apr 11, 2002 at 06:37:24 PM EST

    in two words: identity theft. Let's assume you are an American for the sake of argument but I would imagine similar issues exist in other countries. Someone steals some mail or gets some data sent over the internet by insecure means by people not conscious of security. Because there is nothing, really, that ties you strongly to your SSN id, it is pretty trivial for people to impersonate you. Then they go on a shopping spree, leaving you with the bills. Oh, you don't necessarily end up paying them, but you will pay a good deal (time and money and grief) dealing with the fact that you are NOT the Bob Smith who did all those bad things, even if he stole your SSN to set up the accounts.

    Until your legal identifier(s) are strongly tied to your identity--really, what I mean is biometrics--it is way to easy for someone unscrupulous to saddle you with debt and woe.

    What would be even better would be to get rid of the legal identifiers like SSN and replace them with a biometric identifiers. I mean, really, your name is just an alias for your biometrics, when you get right down to it. There are several people in the world with my name but only one with my body.

    Remember this also: no matter how careful YOU are with your personal data, some schlub out there still has to handle it and they may not be careful--banks, universities, employers, mortgage companies, etc. All of the people you do business with at a certain level require you to share data and trust them with it. Just to scare the crap out of you, I found a case where someone was transferring insurance eligibility data to a Major US insurer in plain text files as an attachment to an email. SSNs, addresses, names, family information, everything. It took a great deal of slow, patient explanation to make these people understand exactly how bad this was. They had been doing it for over a year, more or less monthly. Once I explained it to them, we had to repeat the process with the insurer's people, who were also, surprisingly, clueless.



    sure, it's all fun and games--until someone puts an eye out

    [ Parent ]
    Identity Theft -- NOT (5.00 / 1) (#65)
    by redelm on Thu Apr 11, 2002 at 11:17:21 PM EST

    We are saying something similar, except you wish to substitute biometrics for some form of perfect authentication. My point about notarized dead-trees is very serious -- I don't want _any_ authentication other than my physical presence obligating me beyond recourse. I'm willing to put up with the inconvenience and cost. I see no compelling reason or overwhelming advantage for more convenience. Do you have one?

    This might make me a neo-Luddite technophile :) But I'm willing to put up with going to the Bank and signing for a Credit Card, or getting one Recepient-only Registered Mail. I insist on this physical presence because I believe it will deter fraud artists more than any other measure by greatly increasing their chances of capture.

    Cracking any security system is all about the investment payoff. How much do you get for a successful crack, and how much does it cost you? The cost is the probability of failure times the cost of failure. So far, people talk about increasing the probability of failure. I want to increase the _costs_ of failure. Sort of like why /etc/shadow is a good idea -- the costs of /etc/passwd cracking increase for a few hundred CPU cycles per wrong guess to a second or so of real time.

    Beyond an apart from this, I doubt that Identity Theft is actually a statistically serious problem. Sure there are cases. Everything possible _must_ happen with a large enough sample size, and 300million is plenty large. But if it were really large, the CrCard companies who bear most of the fraud costs would take more precautions. They could easily ask for a voided check, or copies of paystubs, utility bills, drivers licences. None of this is totally fraud-proof, but it would raise the barriers. The point is they don't even do this, presumably because they don't need to.



    [ Parent ]

    Identity Theft (5.00 / 1) (#72)
    by andredurand on Fri Apr 12, 2002 at 10:20:33 AM EST

    I was reviewing with a friend who worked at VISA the breakdown of fees slit-up in a typical VISA transaction. As part of the conversation, it came out that a large portion of the transaction costs (%) were attributed and justified by the CC companies as CC fraud protection. The fact is, CC fraud is a big problem, and 19 times higher online than in real life. It is innevitable that more and more transactions are going to be automated and 'online' in some form or another, in the process, it is likely that increasingly sophisticated methods of reducing identity theft will be created.

    My guess is that in the end, identity theft will become more difficult (not impossible), and at the same time, the consequences of having it happen to you more time-consuming to repair (although I certainly would not like to see it happen as such).

    [ Parent ]
    I think we agree mostly (5.00 / 1) (#73)
    by garbanzo on Fri Apr 12, 2002 at 10:55:31 AM EST

    Point of probablye agreement: the current system is too tolerant of impersonation, it basically enables identity theft by not requiring strong identification. Point on which we might quibble is how that strong identifier is stored and verified. Say you go get a loan. A strong identity system takes some form of identifying feature (thumbprint, retina photo, facial, voice, some combination of these) and that becomes your legal signature, which is stored with the loan contract. You still need this to be stored somehow because the bank may want to sue you for non-payment and they need some way to match the physical you to the contract in a court.

    Now, suppose the engineering community finds a way to do all of this remotely, somehow, so that one can enter such strongly-signed agreements with telepresence. It sounds as though you distrust telepresence, period. Only real presence is acceptable. I would say that telepresence might be acceptable, depending on the system and its security and the risk--how much money or what sort of access are we talking about? Security is always a balancing act between risk and convenience.

    As to the statistical occurrence of identity theft, I'll concede that it is less common than, say, auto theft, but it is still common enough to warrant changes in the system. It may not be serious to those who have not yet experienced it, in the same way that auto theft does not impinge on my daily reality because my car has not been stolen. Once you get on the wrong side of the statistical percentage, your attitude changes. And frankly, what I've heard is that it is becoming more prevalent. I mislike waiting for something to become a really big deal before acting to stop it, particularly given the consequences. Another respondent to this comment has already noted that the credit card companies do take precautions, mainly in the form of increased cost of consumers of credit.



    sure, it's all fun and games--until someone puts an eye out

    [ Parent ]
    Agreement vs evidence of Agreement (none / 0) (#75)
    by redelm on Sat Apr 13, 2002 at 01:05:52 AM EST

    You have helped me sharpen up my thinking -- thank you. It is not so much telepresence that I object to, but the muddling of agreement versus evidence of agreement. Too many in the digital world want to make something "indisputable", when even a paper signature is disputable.

    I only consider myself bound by the agreements I make. The law agrees. Even a notarized signature is disputable and will be invalidated if I can impeach the notary. Likewise, I can be held to a verbal agreement if evidence is presented showing there was agreement. Yet many of the digitalID schemes want to rob me of recourse.

    At issue is who pays for fraud: The person whose ID was stolen, or a merchant who entered into a transaction with hope of profit which was dashed by failure of their ident system? IOW, if my ID is stolen, does the thief _OWN_ me, or is it "merely" inconvenient to re-estabilish myself?

    I am not naive -- consumers ultimately pay for all fraud. They must, because there is no-one else who can pay. Merchants make a profit or disappear. But I wish to give merchants strong incentives to cut fraud. They are uniquely well placed to cut fraud, and should know their customer to the extent economically optimal. Forcing an individual to pay for theft of ID is harsh and ultimately won't be accepted. The inconvenience factor of re-estabilshing ID is probably motivation enough to reasonably guard ID.

    [ Parent ]

    Non-response (4.33 / 3) (#63)
    by Sacrifice on Thu Apr 11, 2002 at 10:07:59 PM EST

    First, I recommend editing for future DI articles. Be as terse as possible, or you will exclude those competent to respond (disclaimer: the following may violate my own advice).

    Other posters have covered a lot of ground already, so I'll just explore the obvious problems of legal non-repudiation of computer-generated signatures.

    Fraud is a tremendous problem, and the goal of "digital identity" should be to reduce it in a cost-effective trade-off between convenience and potential loss. While this is unrelated to the technical issues and advantages of using a new "non-deniable" digital signature, one advantage with the pathetic status quo is that laws protect the average citizen from liability when someone does misuse their SSN, credit card number, or other "secrets" in order to make fraudulent transactions. It would be a mistake to assume that fraud will be eliminated because of digital signatures.

    Unless you carry your built-from-scratch laptop everywhere with you and do not sleep, you will eventually be screwed by compromised terminals that either misrepresent what you're signing (if you are so lucky as to have some sort of PK-signing smart-card) and/or intercept and reuse your password. General-purpose computers connected to the Internet should be considered potentially compromised (either by trojan horse or vulnerabilities in network applications).

    I propose a special-purpose portable magic-identity-key-terminal with a small (few lines of text) display, in addition the usual smart-card features (difficulty of copying without causing physical self-destruct), cryptographic signature generation and verification capability, data-storage, perhaps some internal biometric or password protection ... the important part is that the display would present brief "contracts" along with the identity of their verified signatories, which you would then sign on the device (by pushing a button, smearing a drop of blood, licking a sensor, humming a tune, whatever).

    If the contract were too large to fit on the screen, then I suppose you'd have to scroll (ick - think about what could be hidden in the fine print) - but the complete contract for more substantial matters could be referenced and a hash of it signed as usual (problem: if I don't trust the full-featured computer in front of me, how am I going to get a hash of the document I am in fact reading? perhaps OCR =D).

    In any case, the idea is just that if you see on your little magic-identity-key the lines "Amazon.com","$109.53","home-address","item1","item2" ... and you pull the trigger, your magic key generates some 500 digit number that gets sent to Amazon, and with that, barring any fundamental breakthroughs in cryptography/hardware, you have some pretty strong confidence on both sides that no fraud is involved.

    Another danger of non-repudiation is that the harder denial becomes, the more duress becomes an issue, both as an excuse, and as a genuine problem. Ideally, any standard for the exchange of digital credentials and signing of subsequent contracts should include a facility where the owner of the identity can silently signal duress, where presumably the other side would, to the limits of their competence, present all the appearance that everything is legit, while silently notifying authorities (not that the magic key couldn't do that itself).

    If the magic key works on its own when stolen, or perhaps its easily copyable activation secret (password? voice? even DNA could be copied) has been stolen as well, it's essential that parties to a contract can verify through some revocation-publication service that the key has not been reported lost or stolen (of course, there are still no guarantees - such reports are not always immediate)

    There are a lot of practical design issues to such a magic-smart-key-terminal. I don't think you'd want your magic key to receive contract-offers over a wireless network connection - can you imagine the spam? An explicit, physical plug-in would be better (and potentially more secure).

    Reality: the biggest problem with such pie-in-the-sky schemes is that they are simply not worth the effort for the vast majority of cases, and will probably not see widespread adoption without a government mandate (and government mandated technology often smells like Clipper).

    I encourage other people to do all the hard work of producing an open standard for reputation/identity/contracts/privacy. It's simply too tedious for me to think about at length (I'm only being slightly facetious here).

    PingID (none / 0) (#71)
    by andredurand on Fri Apr 12, 2002 at 10:13:59 AM EST

    One of the main objectives of Ping Identity (www.pingid.org) is to build an open framework for the creation of 'identity-based' applications, where a balance is struck between individual control over privacy and utility/convenience.

    There's a well known mantra in the security industry that speaks to well designed security systems as adopting a separation of identity authentication into 1) something you have (e.g. ID card), 2) something you know (e.g. password, and 3) something you are (e.g. biometrics such as fingerprints etc.). While careful use of these techniques will serve to reduce the risk of identity theft, they will not eliminate it, and as people and systems come to rely more heavily on identity related conveniences, the potential damage from identity theft becomes that much greater (20% of all American's today have had some sort of identity theft happen to them).

    But in and of itself, can identity theft really harm someone? It's not like stealing a car, where the stolen item has utility in and of itself and its absence causes you immediate harm. Your digital identity is information, and that information can only bring harm to you or your digital reputation if it is used by others in an unauthorized manner. Therein lies the foundation for what should be considered 'the last line of defense' against identity theft - the identity infrastructure itself.

    Assume if you will that identity theft is inevitable (at least some *hopefully* small percentage of ID theft). Identity infrastructure, which is out of any individual's control, should be designed to reduce the harm associated with that theft. In doing so, what is out of anyone's individual control acts as an intrinsic safeguard to the unauthorized use of an identity, providing infrastructural-level mechanisms whereby the true identity holder is notified when a possible breach of security has occurred.

    Through proper design of feedback, monitoring, and other identity infrastructure capabilities, it just might be possible that identity theft can be made a crime that causes very little harm. And this may be a much easier approach (albeit a defensive one) to the problem than trying to totally prevent identity theft as a possibility.


    [ Parent ]
    k5 and tech (3.33 / 3) (#66)
    by infinitera on Thu Apr 11, 2002 at 11:33:28 PM EST

    Somewhat off-topic, but I like the technical discussion this has generated. Having articles like this (but hopefully less.. hard to read) on a regular basis makes us all more geeky. Yay!

    What is Digital Identity? | 78 comments (72 topical, 6 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!