Policy-Discussion

[Ian Grigg <iang AT systemics.com>]

On Friday 22 July 2005 09:59, Russell Smith wrote:

> > 1.  what is the best way to 'identify' people?
> To know them for a longer period of time.  But even that is not certain. 
> There aren't really any
> 'best' ways to indentify people.


OK.  So should "knowing them for a longer period
of time" be entered into the CACert process?

And, if we get this far can we establish that, as a
principle, there is no 'best' way to identify people,
as time is not something we can hurry?

And therefore, we do not guarantee that we've
proven the identity of anyone, because such is
an impossible statement?

The reason for this tortuous introspection is that
it then clears the way for establishing different levels
of surety or risk.  Without that we are stuck with the
myth of all CAs being equal, and all certs being
equal, and every day being Christmas.

> > 2.  who can get access to this information?
> Only the people who collect it (assurers), the person who supplied it and 
> people with physical server access.
> 
> The only information kept (Except for TTP) is Name and date of birth.  
> Assurers have types of ID used, which is basically pointless for useful 
> information.
> Everybody knows they types of ID another person is likely to have.

So nobody else is capable of auditing the process
conducted by the Assurers?

What happens when Head Office decides to
check randomly the assuring of some subscribers?
What happens when the spooks finger Mr lin Baden
as a bad guy, and the office in deepest darkest
Klapistan declines to answer as to what copies of
the ID used it has, and how it was checked?


> > 3.  what can we do to protect it?
> I'm not sure how much information there is to 'protect' for Web of Trust.

Duane covered this - Name, Address, DOB are all
good and useful for Identity Theft, the current top
of the pops that's sweeping America.

> For code signing certificates and TTP forms, there is physical security of 
> documents which I have asked questions about before.  How secure are our 
> Date of Birth and Name anyway?

Not very.  But the current climate doesn't make that
much of an excuse, the current thinking is that if you
don't have a need for data you shouldn't store it.

> I'm not sure of the physical server protection, apart from what is written 
> about server comprimise and security there.

(That side seems to have been addressed.)

> > 4.  in what forms does the info exist and what are
> >     the regimes for each piece of info?
> Info on Web of Trust from (Name, Date of Birth, Types of ID persented)  
> Only Assurer has these, unless sent to CAcert

OK.  Is the assurer listed anywhere?  Ah, yes I see
you say below he is listed on the website.

> Info on Website (Name, Date of Birth, Various information about who assured 
> me and how many points they gave).  Protected by server security.
> Info at CAcert offices (Photocopies of ID's, Information available from 
> Website).  Protected by ?.  Which I have asked about.
> 
> I can't think of any other form of information existing.

There is also the list of certificates issued by each
person, and the list of people that Assured.

> > So let's say I'm an attacker and I want to get the scoop on
> > someone.  How would I do that?  Become an assessor and
> > just access the database?  Bribe an insider to reveal it to
> > me?
> The only information available to an assurer is what you see when you meet 
> a person, or their name and DOB if you know the email and 
> you are an assurer.
> 
> 1. Become an assurer, Convince the person who you assure to let you copy 
> the entire of their ID's information down or photocopy it.
> 2. Bride one of the CAcert Office administrators to give you information.
> 3. Break in a steal information from the CAcert office
> 
> 1 is likely to get you as much information, probably less than simply 
> stealing somebodies wallet. (You should look into pick-pocketing)

1 is a great start to identity theft.  In America, what a person
has with them or is in their head can be used to acquire a
credit relationship that would buy a new car for example.

1.b Another possibility is to *pretend* to be an assurer.  How do
I know that you are really an Assurer from CACert?

> 2 & 3 is likely to get you more information if people have sent a copy of 
> their passport information in.  This is a little dangerous. Physial 
> security as always is important here.
> 
> If you really wanted gain, you wouldn't steal info about a person, you 
> would get the root private key and start impersonating people.

4.  OK, so this is the classical weakness of CAs.  Steal the
root key and take over all the identities.  I'm guessing this
one is covered.

Good stuff!

iang
-- 
Advances in Financial Cryptography, Issue 2:
   https://www.financialcryptography.com/mt/archives/000498.html
Mark Stiegler, An Introduction to Petname Systems
Nick Szabo, Scarce Objects
Ian Grigg, Triple Entry Accounting