Re: [fw-wiz] The home user problem returns
From: Chris Blask (chris_at_blask.org)
To: "Paul D. Robertson" <firstname.lastname@example.org> Date: Tue, 13 Sep 2005 11:14:45 -0400
At 10:47 AM 9/13/2005, Paul D. Robertson wrote:
>On Mon, 12 Sep 2005, Chris Blask wrote:
> > The problem is that, without any sort of identity (and there is
> > exactly 0.0000% of net traffic using anything worth calling
> > identity), it is impossible to treat Identified traffic and Anonymous
> > traffic differently, as they logically deserve.
>Two words: Identity Fraud.
?! (I'll never see that again without thinking of Scooby Doo -
thanks, P Melson! ;~)
Not sure where you were going with that, but my point is that I (as a
network owner) can choose to treat Identified traffic with one (or
more) level of trust and Un-Identified traffic with another
(logically much lower) level of trust.
I have to correct my "0.0000%" comment, as well. There is actually
quite a lot of practical Identity being used on the net, *we* just
have not provided much of it. Anyone who buys and sells on eBay or
orders something online is using Identity to a level that is
acceptable to the other party. As long as the level of fraud in
these transactions is similar-to or lower-than the level of fraud in
non-net transactions, then the methods they are using are correct.
> > Decentralized, distributed responsibility. If I own an auth server
> > then I am responsible for the activities of those who use it. If I
>You're willing to be responsible for your user's behavior? After they're
Sorry, incorrectly stated: I'm willing to be responsible for knowing
who the real human is who has used my Identity service.
>Just like the encryption boundary problem that is the reason SSL is
>severely broken as a concept, the use of identity can't be done in a
>system that's not closed, and we don't have the methods, technologies or
>wherewithall to close the software, transport and physical endpoints
We use identity in the physical world in a way that allows us to
function, with all sorts of weaknesses in that identity process
(sure, put a picture on my credit card, no-one will look at it; my
Mother's Maiden Name, are you serious!?!)).
IMHO, the reaons we have no success as an industry in providing
Identity on the net is that we search for a "DNA-Sample" level of
verification. We don't do this in the real world but succeed in
moving trillions of dollars in assets back and forth every day. In
my own Living With Chaos view of the world, complex problems are
solved by dividing them into chunks until the pieces can be
digested. If there aren't huge chunks of this problem that can be
digested easily (look at eBay), then the beer is on me... :~)
I'm not good in groups. It's difficult to work in a group when you're
-Q, Star Trek
+1 416 358 9885
firewall-wizards mailing list