-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Denker Sent: 1 juillet 2004 14:27 To: [EMAIL PROTECTED] Cc: Ian Grigg Subject: Re: authentication and authorization (was: Question on the state of the security industry)
>1) For starters, "identity theft" is a misnomer. My identity >is my identity, and cannot be stolen. The current epidemic >involves something else, namely theft of an authenticator ... Identity has many meanings. In a typical dictionary you will find several definitions for the word identity. When we are talking about information systems, we usually talk about a digital identity, which has other meanings as well. If you are in the field of psychology, philosophy, or computer science, identity won't mean the same thing. One definition that relates to computer science that I like is the following: "the individual characteristics by which a thing or person is recognized or known". A digital identity is usually composed of a set of identifiers (e.g. Unix ID, email address, X.500 DN, etc.) and other information associated to an entity (an entity can be an individual, computer machine, service, etc.). "Other information" may include usage profiles, employee profiles, security profiles, cryptographic keys, passwords, etc. Identity can be stolen in the sense that this information can be copied, revealed to someone, and that someone can use it in order to identify and authenticate himself to a system and get authorization to access resources he wouldn't normally be allowed to. The following document has a nice diagram on the first page of appendix A: http://www.ec3.org/Downloads/2002/id_management.pdf I came up with a similar diagram for a presentation I recently gave, but instead of talking about primary and secondary identifying documents I mention primary and secondary identifying information in general, and I also have an "identifiers" circle situated beside the bigger circle, containing identifiers that belong to an entity but are not linkable to the entity (talking about nyms and pseudonyms). Recall that there are basically 3 types of authentication: individual authentication (such as via biometrics, where you use primary identifying information to authenticate someone), identity authentication (where the identity may or may not be linkable to an individual), and attribute authentication (where you need reveal nothing more than the possession of a certain attribute, such as can be done with Stefan Brands digital credentials). --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]