Bootstrapping authentication

| Comments (2) | TrackBacks (9) |
A post on Interesting People today (originally on Cypherpunks) about the difficulty of getting government issued ID in the post RealID era:
For those of you who may have missed it, today was the first day of the
new "Real ID Act", a/k/a, the American Nazification Papers Act.  I
wouldn't have know myself except that I recently moved, and wanted to
exchange my current Illinois drivers license for a Missouri one.

Not so fast...

"You have a passport?"

"No, I don't travel."

"A certified copy of your original birth certificate?"
"Haven't had one since I was born, fifty years ago. And since I was born
about 1500 miles from here, getting one is no small task."

"Too bad. Your old license is invalid and you can't get another one in
any state, starting today, without at least one of the two documents, PLUS
secondary ID to back them up."

Even though I have a current license, and even though I am in their system
as having held a valid Missouri license for 15+ years, photo included,
none of it is good enough.

OK, so I have no choice, I go to the post office to get a Passport - same

Fine, I'll just order the birth certificate and get it over with, right?

Wrong. New York wants affirmative proof of identity for a copy now:
passport or your [missing] original birth certificate. Anyone else see a
circular problem here?

"I need a new birth certificate because the old one was lost about forty
years ago. And I don't have a passport to prove my identity."

"Get your parents to testify who you are, and make sure they bring their

"They are both dead."

"Sorry Sir, I'm afraid we won't be able to help you then."

Ignore the Godwin's Law violation and just focus on the story. In order to get a strong government issued ID you have to prove your identity, which is done, naturally, using a strong ID, which was the problem in the first place. It sounds like something out of Gilbert and Sullivan but it's a real problem for any system that wants to strongly authenticate people.

The real problem is that the whole notion of personal identity is a fairly fuzzy one. In some sense, the notion of discrete personal identity is created by possessing strong personal identification. Historically we've had a variety of mechanisms for mapping that fuzzy personal identity onto strong forms of identity, but they never achieved the goal--nor were really intended to--of making it hard for you to get a new identity that didn't belong to you, because it's not clear what that means anyway. If you're going to be in the business of issuing strong personal identities, you need to either preserve those weak mechanisms or stop pretending that the strong personal identities are tied to the more amorphous information that preceded the issuance of the strong identity.

9 TrackBacks

Listed below are links to blogs that reference this entry: Bootstrapping authentication.

TrackBack URL for this entry:

lexmark ac adapter from on July 26, 2005 5:00 AM

lexmark 1000 lexmark x73 lexmark e230 lexmark printers cartridge lexmark lexmark x83 software z20 lexmark lexmark script s/n lexmark z515 driver resetting ink levels on lexmark 2030 color jetprinter lexmark ac adapter how to use an ink refill kit for ... Read More

tattoo photo from tattoo photo on August 25, 2005 8:40 AM

tattoo photo Read More

womens health from womens health on August 26, 2005 12:33 PM

womens health Read More

lg ringtones Read More

Chloroform fantasies from Photo porno super blonde on January 2, 2006 2:55 PM

Video sex clips gratis Africa big ass Granny sex gallery post Incest stories of moth... Read More

no prescription drugs mexico from no prescription drugs mexico on January 22, 2006 3:59 AM

campuses counters:fathoming refutes,lifeless liked ambien sleep medication Read More


Is this a true story though? I saw a later posting that pointed to which indicated that you could get your birth certificate using such commonplace materials as employment IDs or even telephone bills.

That seems to take care of the Catch-22 nature of the situation but it does suggest that so-called "strong" identification is not really that strong.

It seems obvious that the right way to issue a hard-to-duplicate ID is based on a set of biometrics. This doesn't do anything for telling you whether you've got the right John Smith, but it does tell you that this guy can't easily get a new formally-issued ID.

There are a gazillion privacy issues here, and I'm not thrilled with them, but if you're going to do IDs like this, it sure seems like that's the way to do them.


Leave a comment