Re: A National ID: AAMVA's Unique ID
- Original Message - From: John Gilmore [EMAIL PROTECTED] [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 10:31 AM Subject: Re: A National ID: AAMVA's Unique ID The solution then is obvious, don't have a big central database. Instead use a distributed database. Our favorite civil servants, the Departments of Motor Vehicles, are about to do exactly this to us. They call it Unique ID and their credo is: One person, one license, one record. They swear that it isn't national ID, because national ID is disfavored by the public. But it's the same thing in distributed-computing clothes. I think you misunderstood my point. My point was that it is actually _easier_, _cheaper_, and more _secure_ to eliminate all the silos. There is no reason for the various silos, and there is less reason to tie them together. My entire point was to put my entire record on my card, this allows faster look-up (O(1) time versus O(lg(n))), greater security (I control access to my record), it's cheaper (the cards have to be bought anyway), it's easier (I've already done most of the work on defining them), and administration is easier (no one has to care about duplication). This sure smells to me like national ID. I think they are drawing the line a bit finer than either of us would like. They don't call it a national ID because it being a national ID means that it would be run by the federal government, being instead run by state governments, it is a state ID, linked nationally. As I said in the prior one, I disagree with any efforts to create forced ID. This, like the MATRIX program, is the brainchild of the federal Department of inJustice. But those wolves are in the sheepskins of state DMV administrators, who are doing the grassroots politics and the actual administration. It is all coordinated in periodic meetings by AAMVA, the American Association of Motor Vehicle Administrators (http://aamva.org/). Draft bills to join the Unique ID Compact, the legally binding agreement among the states to do this, are already being circulated in the state legislatures by the heads of state DMVs. The idea is to sneak them past the public, and past the state legislators, before there's any serious public debate on the topic. They have lots of documents about exactly what they're up to. See http://aamva.org/IDSecurity/. Unfortunately for us, the real documents are only available to AAMVA members; the affected public is not invited. Robyn Wagner and I have tried to join AAMVA numerous times, as freetotravel.org. We think that we have something to say about the imposition of Unique ID on an unsuspecting public. They have rejected our application every time -- does this remind you of the Hollywood copy-prevention standards committees? Here is their recent rejection letter: Thank you for submitting an application for associate membership in AAMVA. Unfortunately, the application was denied again. The Board is not clear as to how FreeToTravel will further enhance AAMVA's mission and service to our membership. We will be crediting your American Express for the full amount charged. Please feel free to contact Linda Lewis at (703) 522-4200 if you would like to discuss this further. Dianne Dianne E. Graham Director, Member and Conference Services AAMVA 4301 Wilson Boulevard, Suite 400 Arlington, VA 22203 T: (703) 522-4200 | F: (703) 908-5868 www.aamva.org http://www.aamva.org/ At the same time, they let in a bunch of vendors of high security ID cards as associate members. Well then create a High-Security ID card company, build it on the technology I've talked about. It's fairly simple, file the paperwork to create an LLC with you and Robyn, the LLC acquires a website, it can be co-located at your current office location, the website talks about my technology, how it allows the unique and secure identification of every individual, blah, blah, blah, get a credit card issued in the correct name. They'll almost certainly let you in, you'll look and smell like a valid alternative (without lying because you could certainly offer the technology), if you really want to make it look really good I'm even willing to work with you on filing a patent, something that they'd almost certainly appreciate. AAMVA, the 'guardians' of our right to travel and of our identity records, doesn't see how listening to citizens concerned with the erosion of exactly those rights and records would enhance their mission and service. Of course it won't, their mission and service is to offer the strongest identity link possible in the ID cards issued nation-wide, as such the citizen's course of action has to be to govern the states issuing these identication papers. However, if you offer them technology to actually make their mission and service cheaper, more effective, and as a side-benefit better for their voters. Besides, if you can't beat them (you
Re: A National ID: AAMVA's Unique ID
The solution then is obvious, don't have a big central database. Instead use a distributed database. Our favorite civil servants, the Departments of Motor Vehicles, are about to do exactly this to us. They call it Unique ID and their credo is: One person, one license, one record. They swear that it isn't national ID, because national ID is disfavored by the public. But it's the same thing in distributed-computing clothes. The reason they say it isn't a national ID is because it's 50 state IDs (plus US territories and Canadian provinces and Mexican states) -- but the new part is that they will all be linked by a continent-wide network. Any official who looks up your record from anywhere on the continent will be able to pull up that record. Anyplace you apply for a state license or ID card, they will search the network, find your old record (if you have one) and transfer it to that state. So there's no way to escape your past record, and no way to get two cards (in the absence of successful fraud, either by citizens or DMV employees). This sure smells to me like national ID. This, like the MATRIX program, is the brainchild of the federal Department of inJustice. But those wolves are in the sheepskins of state DMV administrators, who are doing the grassroots politics and the actual administration. It is all coordinated in periodic meetings by AAMVA, the American Association of Motor Vehicle Administrators (http://aamva.org/). Draft bills to join the Unique ID Compact, the legally binding agreement among the states to do this, are already being circulated in the state legislatures by the heads of state DMVs. The idea is to sneak them past the public, and past the state legislators, before there's any serious public debate on the topic. They have lots of documents about exactly what they're up to. See http://aamva.org/IDSecurity/. Unfortunately for us, the real documents are only available to AAMVA members; the affected public is not invited. Robyn Wagner and I have tried to join AAMVA numerous times, as freetotravel.org. We think that we have something to say about the imposition of Unique ID on an unsuspecting public. They have rejected our application every time -- does this remind you of the Hollywood copy-prevention standards committees? Here is their recent rejection letter: Thank you for submitting an application for associate membership in AAMVA. Unfortunately, the application was denied again. The Board is not clear as to how FreeToTravel will further enhance AAMVA's mission and service to our membership. We will be crediting your American Express for the full amount charged. Please feel free to contact Linda Lewis at (703) 522-4200 if you would like to discuss this further. Dianne Dianne E. Graham Director, Member and Conference Services AAMVA 4301 Wilson Boulevard, Suite 400 Arlington, VA 22203 T: (703) 522-4200 | F: (703) 908-5868 www.aamva.org http://www.aamva.org/ At the same time, they let in a bunch of vendors of high security ID cards as associate members. AAMVA, the 'guardians' of our right to travel and of our identity records, doesn't see how listening to citizens concerned with the erosion of exactly those rights and records would enhance their mission and service. Their mission appears to be to ram their secret policy down our throats. Their service is to take our tax money, use it to label all of us like cattle with ear-tags, and deny us our constitutional right to travel unless we submit to being tagged. We protest. Do you? John Gilmore - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A National ID
Although I am against any national ID, at least as far terrorist identification goes (note that the Social Security Number that every American has IS a national ID card), I feel that a discussion on how to do it properly is a worthwhile endeavor. - Original Message - From: Peter Clay [EMAIL PROTECTED] Subject: Re: A National ID [T]he real danger is not the cards but the database for which they are a unique key. See just about every issue of RISKS for ways in which big national databases can go wrong. The solution then is obvious, don't have a big central database. Instead use a distributed database. I first suggested this concept some time ago on sci.crypt. It's very simple, use cryptography so we don't have to be concerned about duplication (although fraudulent acquisition of valid id would be an issue). Issue each person a Flash RAM card, on the card is biometric information, name, birthdate, etc, a Law Enforcement Only Field, and a signature across all the information, most importantly DO NOT print anything resembling what we currently see as an ID card (no picture, no drivers license number, etc) just print a name on the card for ease of card identification. At this point (assuming the cryptography is good) people can make as many copies as they'd like, it's not going to make any difference. The Law Enforcement Only Field (which I'll call LEAF for historical reasons) serves a unique purpose, it is either a random number, or an encrypted old identity. There are several possible reasons for the old identity; undercover police, witness protection, support for pseudo-nyms, etc. This field allows the police and only the police to identify undercover officers, and provides tracability back through the process to identify granting a new identity to someone. The most important part though is the search time required for verifying an ID. In the case of a giant central database it is O(log(n)) time, with the cryptographic ID it is O(1). This reduces the cost of the national overhead, while a database is still necessay for reissuing, and a new signing setup is required, the access requirements are reduced by several orders of magnitude. Further reduction comes from the ability of each police precinct to have their own local known database, as well as every bar/nightclub having their own banned list without the possibility of cross-corruption, because there is no direct link. This further increases the security because access to the main database can even be restricted to key personnel. This personnel access reduction will again lower the speed requirements for the central database, probably down to the point where a single Oracle server with a few Terabytes of disk space could easily handle the load (I come up with a horrible case size of about 300 Terabytes, and a minimum size of 70 gigabytes for storing only the signature and LEAF because everything else can be reconstructed). (Sizes assume 1MB maximum data set, and DSA/ECDSA with SHA-512) This would also have a knock-on effect of creating a small ID customization industry, because the ID can take any form-factor within certain reasonable bounds there is no reason that it cannot be as customizable as a cell-phone. As for security, this would put the citizen in general control of their information, and with the minimum database size used would give the citizen complete control over their own data. The additional overhead for the current law enforcement databases would be minimal, each entry would only be expanded by the size of the signature to mark the ID card. The invasiveness for your average citizen would be minimized because there is no chance of leakage between the big central database (which could be very small) and the corner market, because the central database does not have to be online. Now as to the level of cryptographic security that would be necessary for this. It is important to realize that the potential market for fraudulent ID of this caliber would be massive, so a multi-decade multi-trillion dollar effort to break the key is not unreasonable. This poses a risk of a magnitude that cryptanalysts really haven't dealt with. Even at the level of protecting the drivel from Shrub II, the possibility of a multi-decade, multi-trillion dollar is simply inconceivable, and it is important to remember that this signature has to remain secure not for a few years, or even a couple of decades, it has to remain secure for longer than the longest concievable lifespan for a human, which means 150 years (I've rounded up from the record), which is a timeframe that we cannot even conceive of at this time. A 100 trillion dollar, 150 year effort to break the security is simply beyond our ability to predict cryptographically, with Celerons at about $35 per GHz right now, that timeframe works out to approximately 2^95 (again being generous to the attacker), that already means that SHA-1 cannot be used simply because the workload is available
Re: A National ID
R. A. Hettinga wrote: If we're going to move to a national identification card, we can't afford to do it badly. Now is the time to figure out how to create a card that helps identify people but doesn't rob them of a huge swath of their civil liberties in the process. Just watch how the british do it - then don't do it that way. I am still trying to figure out how over a decade of terrorist bombings in mainland UK didn't justify introducing a national ID card - but the americans wanting biometric passports for visitors does. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A National ID
On Mon, 31 May 2004, R. A. Hettinga wrote: in most European countries, people carry national ID's as a matter of course. And pressure is mounting in America for some kind of security card. Similarly, there is a push for ID cards in the UK at the moment. See http://www.stand.org.uk/ and http://www.no2id.net/ for more detail. No doubt the same arguments for and against apply on both sides of the Atlantic, and it would be good if activists were to share information. Note that the real danger is not the cards but the database for which they are a unique key. See just about every issue of RISKS for ways in which big national databases can go wrong. Pete -- Peter Clay | Campaign for _ _| .__ | Digital / / | | | Rights! \_ \_| | | http://www.ukcdr.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
