Re: X.509 and ssh

Ken Johanson wrote:
If you can't answer to (but only delete and ignore) the obvious questions that were posed to you, then there is no conversation to he had.

And you are *still* referring to what was, instead of now, and distorting things merely to support your side (statements like "grossly overloaded" and "was redundant and superfluous" (again without an example) which are as much balderdash as saying that your drivers licensee being overloaded just because it makes you accountable and traceable to everyday people you may encounter).

If you don't like it, then don't use certs. For now, they're optional -- (unlike your drivers license)... even though they are far and away and growing as the most used system for secure internet protocols, whether issued by the CAs that you despise, or by your own personal CA.

re: X.509 and ssh X.509 and ssh X.509 and ssh X.509 and ssh X.509 and ssh

so the stale, static, offline credential, certificate, license, diploma, letters of credit, letters of introduction methodology have served a useful business requirement in the physical world for centuries, namely providing a mechanism to represent some information to relying parties who have had no other mechanisms for accessing the actual information.

digital certificates are just electronic analogs of their physical world counterparts, meeting the same business requirements ... namely providing a mechanism to represent some information to relying parties who have had no other mechanisms for accessing the actual information.

so in the mid-90s there were efforts looking at chip-based, digital certificate-based driver's licenses ... as a higher valued implementation for better trust and operation.

however, it ran into some of the similar retrenchments that faced x.509 identity certificates ... even the physical drivers license contain unnecessary privacy information ... like date-of-birth, creating identity theft vulnerabilities.

the other value proposition justification was that high value business processes .... like interaction with police officers supposedly could be better trusted using the higher value and higher integrity chip-based driver licenses incorporating digital certificate technology.

however, police officers at that time were already in transition to much higher value online transactions. rather than simply relying on the information in a driver's license ... the driver's license simply provided an index into the online repository ... and the police officer used it to do realtime, online accesses the online respository, retrieving realtime information for authenticating and other wise validating the entity they were supposedly dealing with. Any information (other then simple repository lookup value) in the drivers license, became redundant and superfluous.

All the higher value driver license related operations, were moving to online, realtime operation ... leaving any information content requirements for driver licenses to no-value operations that couldn't justify an online operation.

If you are faced with a situation where the driver license has very defined use (say a trivial barcode to index a repository that contains your complete history and numerous biometric mechanisms for validating who you area) ... then any additional feature of a drivers license for use in no-value operations ... needs to be financially justified by the no-value operations (since they are redundant and superfluous for all the higher value business processes that can justify doing realtime online operations).

The online characteristic can also be used to help address some of the existing identity theft vulnerabilities related to driver's license. For instance, an individual can authorize ... in a manner similar to how they might digitally sign an x9.59 transaction

.... a transaction that answers yes/no to whether they are at least 21 years old. the actual birth-date never has to be divulged ... the certification authority just responds yes/no in a manner similar to how certification authorities response approved/declined to existing realtime, online financial transactions.

This is sort of the set "FAST" transaction proposals by FSTC

that could even ride the same 8583 rails as existing financial transactions ... but in a manner similar to answer yes/no to financial transactions (w/o disclosing things like current account balance or transaction history) ... could answer yes/no to other kinds of certifications.

some other past posts mentioning the digital certificate model for drivers licenses from the mid-90s ... and why it sort of evaporated. AADS, X9.59, & privacy AADS NWI and XML encoded X9.59 NWI Merchant Comfort Certificates "Gurard against Identity Theft" (arrived in the post today) Confusing business process, payment, authentication and identification Online Certificate Revocation Protocol AGAINST ID CARDS AADS & X9.59 performance and algorithm key sizes ALARMED ... Only Mostly Dead .... RIP PKI ALARMED ... Only Mostly Dead .... RIP PKI ... part II OCSP and LDAP OCSP and LDAP OCSP and LDAP A Trial Balloon to Ban Email? invoicing with PKI authentication and authorization ... addenda Why Blockbuster looks at your ID Another entry in the internet security hall of shame Some thoughts on high-assurance certificates California DMV FREE X.509 Certificates Is VeriSign lying??? voice encryption box (STU-III for the masses) Certificate Authentication Issues in IE and Verisign A new e-commerce security proposal Help! Good protocol for national ID card? Are ssl certificates all equally secure? Cirtificate Authorities 'CAs', how curruptable are they to Drivers License required for surfing? New Method for Authenticated Public Key Exchange without Digital Certificates Maximum RAM and ROM for smartcards Improving Authentication on the Internet More Phishing scams, still no SSL being used phishing web sites using self-signed certs Mainframe Applications and Records Keeping? The new High Assurance SSL Certificates

Relevant Pages