[cryptography] Definition of Identity (was Re: key management guidelines)

Arshad Noor arshad.noor at strongauth.com
Sun Sep 5 14:06:22 EDT 2010

Ian G wrote:
> E.g., travis wants own identity in the PGP key.  Yet your definition 
> calls for capturing the identity of a newspaper.

The PGP key was designed to permit a given set of attributes.  If the
attributes are insufficient for a specific transaction's context, the
PGP key would be inappropriate for the OP's use-case.  The identity
(attributes) of the newspaper only have meaning in the context of
buying a newspaper.  If the vendor of the newspaper had a strange
requirement that he wants a PGP-signed message for home-delivery of
the newspaper, and if the OP had the inclination to acquiesce, then
the newspaper's identity and the identity attributes of the PGP key
have meaning in that transaction; otherwise they are irrelevant.

> We're now talking about identifiers and OOP and capabilities and 
> fundamentals of data, not what humans think of their "identity".

That is precisely the problem - that humans think of identity as some
abstract, meta-physical concept, when all it is is an aggregation of
attributes relevant to a transaction.

> It's a bit like defining Travis's identity as the set of actions that 
> erupt from movements of the collection of atoms bounded by the clothing 
> barrier....

Not a set of actions - but a set of attributes.  Isn't all matter
just a collection of atoms, that when aggregated and when capable of
exhibiting specific properties, we humans identify them with a name?
Why do we call the combination of 2 hydrogen atoms and 1 oxygen atom
water, steam, ice and snow?  Because of their attributes.  They are
the same atoms, but within a specific context, they have different
attributes and, thus, different identities.

> OpenPGP can still do that, but it misses the point by a layer or two. We 
> do not have a way to capture a bundle of attributes and make them 
> perform as per OPs desires.  x.509 insists there is no bundle, or it 
> insists there is only an unchanging official bundle (CN, C, etc), so its 
> simplifications make it intractable in practice.

Perhaps OpenPGP is not the solution to the OP's problem - although
with the right supporting infrastructure, it could be.  X509 digital
certificates have some of that support infrastructure and thus, go
beyond OpenPGP.  But, to truly solve a business problem, you need
more than either PGP or digital certificates - you also need a
mechanism that takes "identity" attributes from all relevant parties,
processes business rules and makes a decision about the transaction:
i.e. an authorization mechanism.

Arshad Noor
StrongAuth, Inc.

More information about the cryptography mailing list