Re: [fw-wiz] The home user problem returns
From: Chris Blask (chris_at_blask.org)
To: "Paul D. Robertson" <firstname.lastname@example.org> Date: Tue, 13 Sep 2005 21:39:56 -0400
At 05:37 PM 9/13/2005, Paul D. Robertson wrote:
>On Tue, 13 Sep 2005, Chris Blask wrote:
> > Hey <again> Paul!
>My point is that identification is *hard*- it's a boundary problem, and we
>don't have a solid boundary. That means that abuse is easy- an attacker
>will just come through as someone else, so everyone will be "identified,"
>they just won't necessarily match their identification.
Parts of Identity need not be so hard to manage. I have not heard of
eBay having a huge problem with people stealing other users'
Identity, for example.
"Something you have, something you know." The "have" is the
computer, which you are correct to say can be compromised. The
"know" need not be so easily compromised.
> > Sorry, incorrectly stated: I'm willing to be responsible for knowing
> > who the real human is who has used my Identity service.
>But you don't- you know who's credentials were used, and that's it.
>That's pretty far from knowing who the user is.
If someone stores their "know" on the "have" (their computer) then
they have left their keys in the car. Insurance companies already
know how to deal with that - "sorry about the stolen car but it's
your fault therefore you are legally responsible for the loss. Have
a Nice Day."
To follow the analogy, we are the auto industry and we have yet to
tell people how to keep their keys and cars separate (or make it
reasonably possible to do), so it's hard to blame people when their
car is used in a drive-by...
>No, I'm not advocating doing nothing if it's not perfect, I'm saying that
>the proposal is lost because it has flaws that will surface more quickly
>than they can be fixed. Trojans have rendered that not workable until we
>tone down the Trojan problem, which is why this thread is important.
No doubt there are intertwined problems, here: not only are the cars
and keys kept together, but we've provided houses with no locks so
Folks can't even put their keys in the kitchen and be safe... Time
and experience (and sh*tloads of sweat) will let us fix the things we
need to fix so we can fix the things we want to fix...
I'm locked in Lifelong Reno Hell at home, for example: I put a floor
in one building this year but I needed to level it first, which in
turn required replacing supporting beams, which you can't get to
without ripping off a porch, in the process of which you drop a
backhoe in the septic. :). But there's a new floor there now,
wheelchair access where the porch was and I needed to replace that
bloody septic, anyway...
But if you take too long thinking about it the building just collapses....
> > If there aren't huge chunks of this problem that can be
> > digested easily (look at eBay), then the beer is on me... :~)
>The beer's on you anyway!
>Paul "I can identify a beer donor a mile away" Robertson
Didn't that "Sucker" tattoo on my forehead wear off by now...?
-chris "walked into another one" blask
Make things as simple as possible but no simpler.
- Albert Einstein
+1 416 358 9885
firewall-wizards mailing list