[cryptography] Definition of Identity (was Re: key management guidelines)
arshad.noor at strongauth.com
Sun Sep 5 14:06:22 EDT 2010
Ian G wrote:
> E.g., travis wants own identity in the PGP key. Yet your definition
> calls for capturing the identity of a newspaper.
The PGP key was designed to permit a given set of attributes. If the
attributes are insufficient for a specific transaction's context, the
PGP key would be inappropriate for the OP's use-case. The identity
(attributes) of the newspaper only have meaning in the context of
buying a newspaper. If the vendor of the newspaper had a strange
requirement that he wants a PGP-signed message for home-delivery of
the newspaper, and if the OP had the inclination to acquiesce, then
the newspaper's identity and the identity attributes of the PGP key
have meaning in that transaction; otherwise they are irrelevant.
> We're now talking about identifiers and OOP and capabilities and
> fundamentals of data, not what humans think of their "identity".
That is precisely the problem - that humans think of identity as some
abstract, meta-physical concept, when all it is is an aggregation of
attributes relevant to a transaction.
> It's a bit like defining Travis's identity as the set of actions that
> erupt from movements of the collection of atoms bounded by the clothing
Not a set of actions - but a set of attributes. Isn't all matter
just a collection of atoms, that when aggregated and when capable of
exhibiting specific properties, we humans identify them with a name?
Why do we call the combination of 2 hydrogen atoms and 1 oxygen atom
water, steam, ice and snow? Because of their attributes. They are
the same atoms, but within a specific context, they have different
attributes and, thus, different identities.
> OpenPGP can still do that, but it misses the point by a layer or two. We
> do not have a way to capture a bundle of attributes and make them
> perform as per OPs desires. x.509 insists there is no bundle, or it
> insists there is only an unchanging official bundle (CN, C, etc), so its
> simplifications make it intractable in practice.
Perhaps OpenPGP is not the solution to the OP's problem - although
with the right supporting infrastructure, it could be. X509 digital
certificates have some of that support infrastructure and thus, go
beyond OpenPGP. But, to truly solve a business problem, you need
more than either PGP or digital certificates - you also need a
mechanism that takes "identity" attributes from all relevant parties,
processes business rules and makes a decision about the transaction:
i.e. an authorization mechanism.
More information about the cryptography