I am reminded of a passage from Buffy the Vampire Slayer. In the episode "Lie to Me":
BILLY FORDHAM: I know who you are. SPIKE: I know who I am, too. So what? My point here is that knowing who I am shouldn't be a crime, nor should it contribute to enabling any crime. Suppose you know who I am. Suppose you know my date of birth, social security number, and great-great-grandmother's maiden name. As Spike said, so what? It's only a problem if somebody uses that _identifying_ information to spoof the _authorization_ for some transaction. And that is precisely where the problem lies. Any system that lets _identification_ serve as _authorization_ is so incredibly broken that it is hard to even discuss it. I don't know whether to laugh or cry. Identifying information cannot be kept secret. There's no point in trying to keep it secret. Getting a new SSN because the old one is no longer secret is like bleeding with leeches to cure scurvy ... it's completely the wrong approach. The only thing that makes any sense is to make sure that all relevant systems recognize the difference between identification and authorization. Repeat after me: identification is not authorization. Identification is not authorization. When people talk about authentication factors such as a) something I know b) something I have c) something I know it is crucial to keep in mind that item (a) must be something I know _that other people don't know_. Identifying information doesn't qualify, and cannot possibly qualify. My SSN is not a password. It lacks many of the properties that a password should have. Credit-card numbers, in practice, do little more than identify me and my account. They are not handled the way passwords should be handled. Eliminating ludicrously broken authentication schemes is something we should work on. Password theft is something we should try to prevent. But when it comes to ID "theft", we should say: So what? I've been saying this for years, but it seems timely to say it again. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]