I am reminded of a passage from Buffy the Vampire Slayer.
In the episode "Lie to Me":

  BILLY FORDHAM:  I know who you are.
          SPIKE:  I know who I am, too.  So what?

My point here is that knowing who I am shouldn't be a
crime, nor should it contribute to enabling any crime.
Suppose you know who I am.  Suppose you know my date of
birth, social security number, and great-great-grandmother's
maiden name.  As Spike said, so what?

It's only a problem if somebody uses that _identifying_
information to spoof the _authorization_ for some

And that is precisely where the problem lies.  Any
system that lets _identification_ serve as _authorization_
is so incredibly broken that it is hard to even discuss
it.  I don't know whether to laugh or cry.

Identifying information cannot be kept secret.  There's
no point in trying to keep it secret.  Getting a new
SSN because the old one is no longer secret is like
bleeding with leeches to cure scurvy ... it's completely
the wrong approach.  The only thing that makes any sense
is to make sure that all relevant systems recognize the
difference between identification and authorization.

Repeat after me:  identification is not authorization.
Identification is not authorization.

When people talk about authentication factors such as
  a) something I know
  b) something I have
  c) something I know
it is crucial to keep in mind that item (a) must be something
I know _that other people don't know_.  Identifying information
doesn't qualify, and cannot possibly qualify.  My SSN is not
a password.  It lacks many of the properties that a password
should have.

Credit-card numbers, in practice, do little more than
identify me and my account.  They are not handled the way
passwords should be handled.

Eliminating ludicrously broken authentication schemes is
something we should work on.  Password theft is something
we should try to prevent.  But when it comes to ID "theft",
we should say: So what?

I've been saying this for years, but it seems timely to say
it again.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to