[cryptography] Definition of Identity (was Re: key management guidelines)

Marsh Ray marsh at extendedsubset.com
Sat Sep 4 18:46:32 EDT 2010


On 09/04/2010 12:08 PM, Arshad Noor wrote:
> Ian G wrote:
>> On 4/09/10 4:21 AM, travis+ml-rbcryptography at subspacefield.org wrote:
>>
>>> It's too bad there isn't a notion of identity seperate from keys.
>>
>> The problem with all this is there is an assumption that we can
>> accurately model an identity in any form. In practice, we can't. In
>> more theoretical terms, we can't even define identity, let alone
>> design a single system to capture it.
>
> Very simply: identity is a set of attributes of a transacting party,
> relevant to the transaction's context.

I like that way of saying it, it sounds like a useful way to think about 
actual systems. It might be hard to use in general discussion since it 
probably doesn't match what most people have in mind.

The concept of identity is impossibly deep I think. AFAICT, it's an 
essential part of biology and authentication has been a challenge since 
the invention of the immune system, or maybe even the cell membrane. Is 
this molecule part of me or is it foreign? Maybe this is an analogy 
extended way off the deep end, I'm still not sure. Consider dogs, they 
certainly use their noses for identifying each other (have you ever seen 
a dog fooled by an imposter?) Doesn't smell come from those molecular 
exchange processes? Probably humans gave up smell as a primary means of 
recognition only relatively recently in evolutionary history.

People have a lot of built-in hardware for managing identity (e.g., 
special circuits for face and voice recognition). My theory is that for 
this reason we have a very hard time appreciating the essential 
complexity inherent in identity and authentication systems; too much 
just happens automatically under the surface. Many times I've been in 
conversations where the participants all believe that they have a good 
working definition of identity for the discussion, but it inevitably 
emerges that everyone has different ideas in mind.

But even with billions of years of biology working on the problem these 
systems still fail on a regular basis. Foreign bodies trick our cells 
into being a host or even incorporating their DNA. Ant species have 
fascinating ways of masking and imitating others chemical signatures. 
People fall for scams when clean-cut looking kids go door-to-door. And 
of course, computer systems get owned through any number of failure 
modes related to identity (often the root cause can be traced to 
oversimplifications in the design or deployment).

For years and years, an "account username" was a reasonably sufficient 
subject identifier. But it was just an approximation, and it breaks down 
once systems become distributed in any non-trivial way. (If not sooner, 
consider the number of admin and service accounts in comparison to users 
on a typical system). When problems are encountered in operation, often 
they are perceived as weaknesses in authentication. But when the deeper 
cause is an insufficiently powerful and flexible identity model that 
doesn't take into account the complex reality, strengthening the level 
of authentication just makes the resulting system harder to use. So 
trying to make the traditional models work across the entire internet 
just isn't a good idea, despite the fact that conflating the concepts of 
"user" and "living natural person" is highly appealing on many levels. 
Most people are simply not going to leave a comment on a blog post if 
the web form insists on a government issued photo ID.

It wasn't that long ago that if you lived in a small town, folks at the 
bank knew you personally. They could also spot someone who wasn't from 
the area with a useful degree of reliability. This was a flexible system 
that leveraged people's built-in skills. Although it was far from 
perfect, at least its failure modes tended to be proportional to common 
sense expectations.

At the other extreme, I recently heard about some kind of national 
digital ID card being introduced in Germany that had RFID, USB readers, 
Windows drivers, and so on. It sounded like it basically amounted to 
being required to present one's passport or birth certificate at any 
number of reader terminals and official websites, no matter how mundane. 
It doesn't sound like a good idea to me that renewing your cat's license 
tag online should be treated the same as, say, a large bank transfer. 
It's not going to be pretty when the limitations of such an approach are 
encountered, non-repudiation seems not to work so well when half the 
endpoint systems are owned by kernel-mode malware.

- Marsh



More information about the cryptography mailing list