Practice Cryptography!
Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.Friday, March 03, 2006
Context and relationship identity
I was thinking, today... and I realized something that should have been fairly obvious, but which isn't. A given identity is tied to the context it is used within... so the certified relationship is between the identity-holder and the context, not one identity-holder to another. This has some fairly important implications, and answers a lot of unsolved issues, notwithstanding the problems that I discussed in an earlier entry.
First, a person's legal identity is tied to the legal context. This means that it's the legal context that is responsible for changing any identifying information (such as name, address, national ID number, whathaveyou)... but the legal context keeps track of those changes so that one may be able to change aspects of their identity's tied information, but not their core identity.
This allows others in the legal context to 'trust' that the identity presented is verifiable and useful for creating relationships within the legal realm (such as contracts).
In the same way, the relationship between an identity and an organization is what can be certified -- thus, the organization itself controls the context. This certification is what allows one member of the organization to be able to strongly identify another member of the organization... at least as far as authentication can go. (usernames and passwords used to log into a MUD which has a certifying authority that signs public-key certificates... it's the problem of usernames and passwords being much less secure than cryptography, and security is only as strong as its weakest link.)
A problem with current certificate mechanisms, though, is 'information leakage' -- if I can cryptographically prove that I am the owner of a given credit card, and electronically sign a charge slip, does the merchant I'm doing business with /really/ need to know my address? Or bank account number? Or mortgage information? Identity theft is a lot easier when one has access to a lot more information, and since realistically nothing's going to change in the next 15 years, I want a solution that allows for that information to be hidden from people who don't need it, while simultaneously allowing for it to be selectively unhidden when circumstances warrant.
First, a person's legal identity is tied to the legal context. This means that it's the legal context that is responsible for changing any identifying information (such as name, address, national ID number, whathaveyou)... but the legal context keeps track of those changes so that one may be able to change aspects of their identity's tied information, but not their core identity.
This allows others in the legal context to 'trust' that the identity presented is verifiable and useful for creating relationships within the legal realm (such as contracts).
In the same way, the relationship between an identity and an organization is what can be certified -- thus, the organization itself controls the context. This certification is what allows one member of the organization to be able to strongly identify another member of the organization... at least as far as authentication can go. (usernames and passwords used to log into a MUD which has a certifying authority that signs public-key certificates... it's the problem of usernames and passwords being much less secure than cryptography, and security is only as strong as its weakest link.)
A problem with current certificate mechanisms, though, is 'information leakage' -- if I can cryptographically prove that I am the owner of a given credit card, and electronically sign a charge slip, does the merchant I'm doing business with /really/ need to know my address? Or bank account number? Or mortgage information? Identity theft is a lot easier when one has access to a lot more information, and since realistically nothing's going to change in the next 15 years, I want a solution that allows for that information to be hidden from people who don't need it, while simultaneously allowing for it to be selectively unhidden when circumstances warrant.
Archives
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11
