Re: when a fraud is a sale, Re: Rubber hose attack
not completely. except for some of the "know your customer rules" a financial institution doesn't have to identify you ... they only have to authenticate that you are the person authorized to transact with the account; aka 1) I come in and open a brand-new account and deposit a whole lot of money. 2) they give me a card with possibly PIN which is the only way that is enabled for authorized transactions. They may also record some number of shared secrets as a fall-back position (some of the shared-secrets may involve identity information ... but that is more of a memory mnemonic, i know people that register almost random shared-secrets that have no relationship to their identity). No identity is involved. Governments may require identity for other reasons ... but it is possible to establish that it is the entity authorized to make transactions w/o requiring any identification (using purely authentication). That is not to say that there are various kinds of fraud involving things like identity theft ... but it is possible to authenticate transactions w/o requiring identity. There are some other issues with some infrastructures involving trusted third parties (TTPs). I've gone into some length with regard to the discussion of TTPs and domain name web server certificates ... aka http://www.garlic.com/~lynn/subtopic.html#sslcerts where, in effect because of concerns over the integrity of the domain name infrastructure, digital certificates have been introduced. Note however, TTPs normally are not the recognized authoritative entity with regard to domain names TTPs just "certify" that they've checked with with the authoritative entity with regard to whatever they are certifying when they manufactor the digital certificate. Now, who is the authoritative entity for domain name information that TTPs check with when they are manufactoring a domain name web server certificate? It is the domain name infrastructure. As a result of integrity concenrs there are also integrity concerns with regard to the domain name infrastructure from TTPs (because they effectively rely on the same authoritative agencies that people are concerned about with regard to normal operation). Now the interesting part is that there are proposals that would fix the integrity problems of the authoritative domain name agency ... the domain name infrastructure however, if those proposals were implemented, it would also correct integrity concerns regarding the domain name infrastructure for the rest of the world ... elminating the desire they have to have domain name web server certificates as a means of compensating for the integrity issues with the domain name infrastructure (which is also the authoritative agency for domain names that the TTPs check with in order to certify domain names in manufactored certificates). [EMAIL PROTECTED] on 11/05/2001 10:01 AM wrote: I think you have nailed it on the head. When authentication is viewed as the "first link" in the chain instead of identification. The problem with all authentication technologies in use today from biometrics to PKI to digital certs, all finesse the identification process and push it off to some "trusted" third party...all without clearly defining what that third party must bring to the table. John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: when a fraud is a sale, Re: Rubber hose attack
At 11:01 AM 11/5/2001, [EMAIL PROTECTED] wrote: >The problem with all authentication technologies in use today from >biometrics to PKI to digital certs, all finesse the identification process >and push it off to some "trusted" third party...all without clearly >defining what that third party must bring to the table. Perhaps this is why I'm expecting PKI to flourish primarily within enterprises that run their own CAs as opposed to third parties, at least in the near term. Although a few third party credit card vendors got things started decades ago, credit cards didn't really blossom until after a period in the '60s and '70s during which many/most individual enterprises issued their own cards. This allowed the enterprises to learn by themselves what the costs, risks, and rewards were. They had the opportunity to decide for themselves what risks to take and directly experience the results. Only after the enterprises developed this internal awareness of the real implications of such cards could they understand the system well enough to know what it meant to sign up with Visa, MC, or one of the other big names. At least, that's my reading of the history, and how it might apply to PKI or other authentication technologies. It seems to me that the concept of identity is application specific (and thus enterprise specific in a sense), which makes it tricky for an 'authentication vendor' to try to provide a general 'identity' solution except maybe through 'AAA' products. Rick. [EMAIL PROTECTED]roseville, minnesota "Authentication" in bookstores http://www.visi.com/crypto/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]