Policy-Discussion

["Peter Williams" <home_pw AT msn.com>]

> 
> > And therefore, we do not guarantee that we've
> > proven the identity of anyone, because such is
> > an impossible statement?
> 
> We have not proven the identity, we have verified it.


This is correct. A CA verifies a claim of identity. By relying on an assured
process, an evidence giver may rely make an effective offer of proof.

(This is an advanced language game. The distinction between proof and
verification is all that matters.)

> 
> > The reason for this tortuous introspection is that
> > it then clears the way for establishing different levels
> > of surety or risk.  Without that we are stuck with the
> > myth of all CAs being equal, and all certs being
> > equal, and every day being Christmas.
> 
> I don´t see the association here.

It didn’t make any sense, don’t worry.

The assurance levels of CAs have long been distinct. Buy Peter's $20 book,
pay 250 dollars to Microsoft for a CA program, pay a $50 business license,
put root key on website, and you are a complete CA! The only thing missing
is confidence in you. Generating that doesn’t involve computers.


> > > The only information kept (Except for TTP) is Name and date of birth.
> > > Assurers have types of ID used, which is basically pointless for
> useful
> > > information. Everybody knows they types of ID another person is likely
> to
> > > have.
> >
> > So nobody else is capable of auditing the process
> > conducted by the Assurers?
> 
> Verifying the identity of a human is completely pointless. Humans are
> living
> creatures, so they change themself every nanosecond.
> So let´s forget everything, and do something else ;-)

Sounds like an idealized bar discussion, at a Financial conference in the
Carribean. None of these Rivest ideas have ever take root, but its good
research proposal generating process.


> > What happens when Head Office decides to
> > check randomly the assuring of some subscribers?
> 
> Yes, we are starting that.

Good.

Don’t get involved however. Require the assuror to show they are in
compliance with the rules. Use a Positive compliance regime, versus
inspection regime.


> 
> > What happens when the spooks finger Mr lin Baden
> > as a bad guy, and the office in deepest darkest
> > Klapistan declines to answer as to what copies of
> > the ID used it has, and how it was checked?
> 
> Then the points awarded will be revoked, the issued certificates will be
> revoked, ... (long procedure)

Long procedure huh. Bin laden registers 500 certs then, with 500 assurers.
Spreads the communications across several infrastructures.

Might want to use the "suspended cert" concept.

In the Hong Kong Post CA (official CA that puts certs on id cards (partly to
annoy the Australian govt. which failed at the same thing in Aus Post),
posting a subscriber notice of compromise on a Friday causes a suspended
status, on the OCSP database. This is because postal authorities don’t
process the legal notice till Monday. Meantime, relying parties need SOME
information that the subscriber no longer vouches for the authenticity of
the dig sigs.


> 
> > > I'm not sure how much information there is to 'protect' for Web of
> Trust.
> >
> > Duane covered this - Name, Address, DOB are all
> > good and useful for Identity Theft, the current top
> > of the pops that's sweeping America.
> 
> Can´t America care for itself?
> I mean, they are old enough now.
> 
> > Not very.  But the current climate doesn't make that
> > much of an excuse, the current thinking is that if you
> > don't have a need for data you shouldn't store it.


Not sure the current climate comment is even accurate.

The whole privacy policy mandate, imposed by the EEC on America, a few years
ago meant that at least data had to be identified by type, and the
retention/disclosure policies be published.

Showing future compliance with this will mean generally KEEPING the data, to
protect oneself from the regulator, when someone (out of 5 billion)
complains.

> Yes, prooving the need to know is the best possible measurement here, I
> think.
> 
> I think we should start thinking about doing real end-to-end encryption
> and
> authentication. Perhaps there is a good way somewhen to do it.
> (With end-to-end I mean brain-to-brain. Computer-to-Computer isn´t end-to-
> end)
> 
> Real end-to-end public key cryptography would be a solution for most of
> the
> identity fraud things we have at the moment.

OK. The PKI hypothesis failed. (see my phd submission if you want, it makes
for angry reading amongst the PKI aficionados). Now at least the additional
anti-phishing requirement has been identified, and one can research suitable
crypto processes to help this.

(I have some business contacts for friends who have launched a
non-encryption based crypto service, for anti-phishing services when
accessing. Uses good crypto and assurance reasoning, without assuming the
PKI hypothesis. This will again make the military CA folks red in the face
with rage! Given it rejects the hypothesis of comsec design, per se)


> > OK.  Is the assurer listed anywhere?  Ah, yes I see
> > you say below he is listed on the website.
> 
> The assurers can list themself on the website, if they want. They don´t
> have
> to.
> It is not published by CAcert, who are the assurers of a specific user.
> 
> > > 1. Become an assurer, Convince the person who you assure to let you
> copy
> > > the entire of their ID's information down or photocopy it. 2. Bride
> one
> > > of the CAcert Office administrators to give you information. 3. Break
> in
> > > a steal information from the CAcert office
> > >
> > > 1 is likely to get you as much information, probably less than simply
> > > stealing somebodies wallet. (You should look into pick-pocketing)
> >
> > 1 is a great start to identity theft.  In America, what a person
> > has with them or is in their head can be used to acquire a
> > credit relationship that would buy a new car for example.
> 
> But I don´t need a new car. I am happy with my current one.
> 
> > 1.b Another possibility is to *pretend* to be an assurer.  How do
> > I know that you are really an Assurer from CACert?
> 
> By looking on the website, searching for that assurer, and verifying the
> identity of the pretending Assurer.
> 
> > > 2 & 3 is likely to get you more information if people have sent a copy
> of
> > > their passport information in.  This is a little dangerous. Physial
> > > security as always is important here.
> > >
> > > If you really wanted gain, you wouldn't steal info about a person, you
> > > would get the root private key and start impersonating people.
> >
> > 4.  OK, so this is the classical weakness of CAs.  Steal the
> > root key and take over all the identities.  I'm guessing this
> > one is covered.
> 
> Yep, that´s covered.


You cant take over any identities, with a root key compromise.

You can falsely issue certs, and falsely issue suspensions/revocations.

Visa has patents on root key compromise systems, and semantic systems for
critical infrastructure protection based on the PKI hypothesis. Done 10
years ago, they may be becoming more valuable at this point.

> 
> Regards,
> Philipp Gühring
> 
> _______________________________________________
> Have you subscribed to our RSS News Feed yet?
> 
> CAcert-Policy mailing list
> CAcert-Policy AT lists.cacert.org
> http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy