[cryptography] Definition of Identity (was Re: key management guidelines)
marsh at extendedsubset.com
Sat Sep 4 18:46:32 EDT 2010
On 09/04/2010 12:08 PM, Arshad Noor wrote:
> Ian G wrote:
>> On 4/09/10 4:21 AM, travis+ml-rbcryptography at subspacefield.org wrote:
>>> It's too bad there isn't a notion of identity seperate from keys.
>> The problem with all this is there is an assumption that we can
>> accurately model an identity in any form. In practice, we can't. In
>> more theoretical terms, we can't even define identity, let alone
>> design a single system to capture it.
> Very simply: identity is a set of attributes of a transacting party,
> relevant to the transaction's context.
I like that way of saying it, it sounds like a useful way to think about
actual systems. It might be hard to use in general discussion since it
probably doesn't match what most people have in mind.
The concept of identity is impossibly deep I think. AFAICT, it's an
essential part of biology and authentication has been a challenge since
the invention of the immune system, or maybe even the cell membrane. Is
this molecule part of me or is it foreign? Maybe this is an analogy
extended way off the deep end, I'm still not sure. Consider dogs, they
certainly use their noses for identifying each other (have you ever seen
a dog fooled by an imposter?) Doesn't smell come from those molecular
exchange processes? Probably humans gave up smell as a primary means of
recognition only relatively recently in evolutionary history.
People have a lot of built-in hardware for managing identity (e.g.,
special circuits for face and voice recognition). My theory is that for
this reason we have a very hard time appreciating the essential
complexity inherent in identity and authentication systems; too much
just happens automatically under the surface. Many times I've been in
conversations where the participants all believe that they have a good
working definition of identity for the discussion, but it inevitably
emerges that everyone has different ideas in mind.
But even with billions of years of biology working on the problem these
systems still fail on a regular basis. Foreign bodies trick our cells
into being a host or even incorporating their DNA. Ant species have
fascinating ways of masking and imitating others chemical signatures.
People fall for scams when clean-cut looking kids go door-to-door. And
of course, computer systems get owned through any number of failure
modes related to identity (often the root cause can be traced to
oversimplifications in the design or deployment).
For years and years, an "account username" was a reasonably sufficient
subject identifier. But it was just an approximation, and it breaks down
once systems become distributed in any non-trivial way. (If not sooner,
consider the number of admin and service accounts in comparison to users
on a typical system). When problems are encountered in operation, often
they are perceived as weaknesses in authentication. But when the deeper
cause is an insufficiently powerful and flexible identity model that
doesn't take into account the complex reality, strengthening the level
of authentication just makes the resulting system harder to use. So
trying to make the traditional models work across the entire internet
just isn't a good idea, despite the fact that conflating the concepts of
"user" and "living natural person" is highly appealing on many levels.
Most people are simply not going to leave a comment on a blog post if
the web form insists on a government issued photo ID.
It wasn't that long ago that if you lived in a small town, folks at the
bank knew you personally. They could also spot someone who wasn't from
the area with a useful degree of reliability. This was a flexible system
that leveraged people's built-in skills. Although it was far from
perfect, at least its failure modes tended to be proportional to common
At the other extreme, I recently heard about some kind of national
digital ID card being introduced in Germany that had RFID, USB readers,
Windows drivers, and so on. It sounded like it basically amounted to
being required to present one's passport or birth certificate at any
number of reader terminals and official websites, no matter how mundane.
It doesn't sound like a good idea to me that renewing your cat's license
tag online should be treated the same as, say, a large bank transfer.
It's not going to be pretty when the limitations of such an approach are
encountered, non-repudiation seems not to work so well when half the
endpoint systems are owned by kernel-mode malware.
More information about the cryptography