Re: X.509 and ssh
- From: Anne & Lynn Wheeler <lynn@xxxxxxxxxx>
- Date: Tue, 11 Apr 2006 17:35:39 -0600
Ken Johanson wrote:
If you can't answer to (but only delete and ignore) the obvious questions that were posed to you, then there is no conversation to he had.
And you are *still* referring to what was, instead of now, and distorting things merely to support your side (statements like "grossly overloaded" and "was redundant and superfluous" (again without an example) which are as much balderdash as saying that your drivers licensee being overloaded just because it makes you accountable and traceable to everyday people you may encounter).
If you don't like it, then don't use certs. For now, they're optional -- (unlike your drivers license)... even though they are far and away and growing as the most used system for secure internet protocols, whether issued by the CAs that you despise, or by your own personal CA.
http://www.garlic.com/~lynn/2006f.html#29 X.509 and ssh
http://www.garlic.com/~lynn/2006f.html#31 X.509 and ssh
http://www.garlic.com/~lynn/2006f.html#32 X.509 and ssh
http://www.garlic.com/~lynn/2006f.html#33 X.509 and ssh
http://www.garlic.com/~lynn/2006f.html#34 X.509 and ssh
so the stale, static, offline credential, certificate, license, diploma, letters of credit, letters of introduction methodology have served a useful business requirement in the physical world for centuries, namely providing a mechanism to represent some information to relying parties who have had no other mechanisms for accessing the actual information.
digital certificates are just electronic analogs of their physical world counterparts, meeting the same business requirements ... namely providing a mechanism to represent some information to relying parties who have had no other mechanisms for accessing the actual information.
so in the mid-90s there were efforts looking at chip-based, digital certificate-based driver's licenses ... as a higher valued implementation for better trust and operation.
however, it ran into some of the similar retrenchments that faced x.509 identity certificates ... even the physical drivers license contain unnecessary privacy information ... like date-of-birth, creating identity theft vulnerabilities.
the other value proposition justification was that high value business processes .... like interaction with police officers supposedly could be better trusted using the higher value and higher integrity chip-based driver licenses incorporating digital certificate technology.
however, police officers at that time were already in transition to much higher value online transactions. rather than simply relying on the information in a driver's license ... the driver's license simply provided an index into the online repository ... and the police officer used it to do realtime, online accesses the online respository, retrieving realtime information for authenticating and other wise validating the entity they were supposedly dealing with. Any information (other then simple repository lookup value) in the drivers license, became redundant and superfluous.
All the higher value driver license related operations, were moving to online, realtime operation ... leaving any information content requirements for driver licenses to no-value operations that couldn't justify an online operation.
If you are faced with a situation where the driver license has very defined use (say a trivial barcode to index a repository that contains your complete history and numerous biometric mechanisms for validating who you area) ... then any additional feature of a drivers license for use in no-value operations ... needs to be financially justified by the no-value operations (since they are redundant and superfluous for all the higher value business processes that can justify doing realtime online operations).
The online characteristic can also be used to help address some of the existing identity theft vulnerabilities related to driver's license. For instance, an individual can authorize ... in a manner similar to how they might digitally sign an x9.59 transaction
.... a transaction that answers yes/no to whether they are at least 21 years old. the actual birth-date never has to be divulged ... the certification authority just responds yes/no in a manner similar to how certification authorities response approved/declined to existing realtime, online financial transactions.
This is sort of the set "FAST" transaction proposals by FSTC
that could even ride the same 8583 rails as existing financial transactions ... but in a manner similar to answer yes/no to financial transactions (w/o disclosing things like current account balance or transaction history) ... could answer yes/no to other kinds of certifications.
some other past posts mentioning the digital certificate model for drivers licenses from the mid-90s ... and why it sort of evaporated.
http://www.garlic.com/~lynn/98.html#41 AADS, X9.59, & privacy
http://www.garlic.com/~lynn/aepay2.htm#position AADS NWI and XML encoded X9.59 NWI
http://www.garlic.com/~lynn/aepay4.htm#comcert5 Merchant Comfort Certificates
http://www.garlic.com/~lynn/aepay6.htm#itheft "Gurard against Identity Theft" (arrived in the post today)
http://www.garlic.com/~lynn/aepay12.htm#3 Confusing business process, payment, authentication and identification
http://www.garlic.com/~lynn/aadsm5.htm#ocrp3 Online Certificate Revocation Protocol
http://www.garlic.com/~lynn/aadsm7.htm#idcard AGAINST ID CARDS
http://www.garlic.com/~lynn/aadsmail.htm#liability AADS & X9.59 performance and algorithm key sizes
http://www.garlic.com/~lynn/aadsm11.htm#37 ALARMED ... Only Mostly Dead .... RIP PKI
http://www.garlic.com/~lynn/aadsm11.htm#38 ALARMED ... Only Mostly Dead .... RIP PKI ... part II
http://www.garlic.com/~lynn/aadsm13.htm#1 OCSP and LDAP
http://www.garlic.com/~lynn/aadsm13.htm#4 OCSP and LDAP
http://www.garlic.com/~lynn/aadsm13.htm#5 OCSP and LDAP
http://www.garlic.com/~lynn/aadsm14.htm#13 A Trial Balloon to Ban Email?
http://www.garlic.com/~lynn/aadsm15.htm#1 invoicing with PKI
http://www.garlic.com/~lynn/aadsm17.htm#47 authentication and authorization ... addenda
http://www.garlic.com/~lynn/aadsm19.htm#48 Why Blockbuster looks at your ID
http://www.garlic.com/~lynn/aadsm20.htm#42 Another entry in the internet security hall of shame
http://www.garlic.com/~lynn/aadsm21.htm#20 Some thoughts on high-assurance certificates
http://www.garlic.com/~lynn/2001.html#62 California DMV
http://www.garlic.com/~lynn/2001f.html#77 FREE X.509 Certificates
http://www.garlic.com/~lynn/2001k.html#6 Is VeriSign lying???
http://www.garlic.com/~lynn/2001l.html#29 voice encryption box (STU-III for the masses)
http://www.garlic.com/~lynn/2001n.html#56 Certificate Authentication Issues in IE and Verisign
http://www.garlic.com/~lynn/2002m.html#20 A new e-commerce security proposal
http://www.garlic.com/~lynn/2002n.html#40 Help! Good protocol for national ID card?
http://www.garlic.com/~lynn/2002o.html#10 Are ssl certificates all equally secure?
http://www.garlic.com/~lynn/2002p.html#9 Cirtificate Authorities 'CAs', how curruptable are they to
http://www.garlic.com/~lynn/2003m.html#21 Drivers License required for surfing?
http://www.garlic.com/~lynn/2004i.html#4 New Method for Authenticated Public Key Exchange without Digital Certificates
http://www.garlic.com/~lynn/2005g.html#34 Maximum RAM and ROM for smartcards
http://www.garlic.com/~lynn/2005i.html#33 Improving Authentication on the Internet
http://www.garlic.com/~lynn/2005l.html#32 More Phishing scams, still no SSL being used
http://www.garlic.com/~lynn/2005t.html#6 phishing web sites using self-signed certs
http://www.garlic.com/~lynn/2005u.html#37 Mainframe Applications and Records Keeping?
http://www.garlic.com/~lynn/2006.html#37 The new High Assurance SSL Certificates
- Re: X.509 and ssh
- From: Ken Johanson
- Re: X.509 and ssh
- Prev by Date: Re: X.509 and ssh
- Next by Date: Re: X11 display forwarding
- Previous by thread: Re: X.509 and ssh
- Next by thread: Re: X.509 and ssh