Eugene Kaspersky
argues that one should need to have a "passport" to use the
Internet (via
/.):
That's it? What's wrong with the design of the Internet?
There's anonymity. Everyone should and must have an identification, or
Internet passport. The Internet was designed not for public use, but
for American scientists and the U.S. military. That was just a limited
group of people--hundreds, or maybe thousands. Then it was introduced
to the public and it was wrong to introduce it in the same way.
I'd like to change the design of the Internet by introducing
regulation--Internet passports, Internet police and international
agreement--about following Internet standards. And if some countries
don't agree with or don't pay attention to the agreement, just cut
them off.
Isn't it enough to have everyone register with ISPs (Internet service
providers) and have IP addresses made known?
You're not sure who exactly has the connection. I can have a Wi-Fi
connection and connect using a password, or give away the password for
someone else to use that connection. Or the connection could be
hacked.
Even if the IP address is traced to an Internet café, they will not
know who the customer or person is behind the attacks. Think about
cars--you have plates on the cars, but you also have driver licenses.
Unfortunately, Kaspersky didn't
elaborate on how this would actually work, which is too bad because it's
not really that clear to me how one would develop such a system. Let's
stipulate for the moment that we had some mechanism for giving
everyone who was allowed to access the Internet some sort of
credential (the natural thing here would be an X.509 certificate, but
of course you could imagine any number of other options).
All that you would need to accoplish this would be to somehow
positively identify every person on the planet, get them to
generate an asymmetric key pair, issue them a certificate, and
give them some way to move it around between all their
Internet-connected devices (and it's not at all unusual to have
both a PC and a smartphone), as well as find some way for them
to use it in Internet cafes, libraries, etc. And of course,
having the credential is the easy part: we still need to find
some way to actually verify it.
At a high level, there are three places we could imagine verifying
someone's credentials: (1) at the access point (2) in the network
core (3) at the other endpoint. None of these is particularly
satisfactory:
Access Point
The naive place to verify people's identity is at the point where they
connect to the Internet. Of course, in the vast majority of cases
(home service, mobile, etc.), no "passport" is required, because the
user has a subscriber relationship with the service provider, so as
long as the service provider keeps adequate records it's relatively
straightforward to track down who was using any given IP address at a
given time. This leaves us with a variety of "open access" type
situations where someone has a network that anyone can use,
such as libraries, conferences, and people's home networks.
One could imagine requiring that those people program their
network access elements to authenticate anyone who wanted to
use them, but since this would require reprogramming an untold
number of Linksys access points which are currently
running whatever firmware they were loaded with when they
were manufactured in 2006, this doesn't sound like a very
practical proposition. Even if one did somehow manage to arrange
for a mass upgrade, people who run open APs don't have a huge
amount of incentive to keep them secure, so it wouldn't be
long before there was a large population of APs which couldn't
be trusted to properly report who had used them and we're back
to where we started.
Network Core
Moving outward from the access point, one could imagine doing
authentication somewhere in the network core (which is sort
of what Kaspersky's comments imply). Unfortunately,
this would involve some pretty major changes to the Internet
architecture. Remember that as far as the core is concerned,
there are just a bunch of packets flowing from node to node
and being switched as fast as possible by the core routers
which don't have any real relationship with the endpoints.
Unless we're going to change that (pretty much out of the
question no matter how ambitious you are), then about
all that's left is having the endpoints digitally sign
their packets with their credentials. And of course, those
signatures would then have to be verified at something
approaching wire speed
(if you don't verify them in real time,
then people will just send bogus signatures; if you only
verify a fraction, then you need some sort of punishment
scheme because otherwise you just reduce traffic by that
fraction). And of course, the signatures would create massive
packet bloat. So, this doesn't sound like a very practical
retrofit to the existing Internet.
Other Endpoint
This leaves us with verifying the users's identity at the
other endpoint, which is probably the most practical option,
given that we already have technology for this in the
form of IPsec, SSL/TLS, etc. Again, we have the retrofit
problem, and also a huge incentive issue; most
sites are primarily interested in having a lot of visitors
and don't much care who they are, so they're not really
incentivized to verify user identities, especially during
the (extended) transition period when requiring authentication
would mean rejecting traffic from legitimate visitors.
Still, it's at least technically possible, though it's
not clear to me why one would want to require this form
of authentication through some regulatory process:
the major entity which is hurt by being unable to
verify whoever is sending them traffic is after all
the other endpoint, so if they don't care to authenticate
their peer, why would we want to require it.
Unfortunately, even the above issues (which aren't very
promising) aren't the real obstacle. Remember that we're going
to require everyone who wants to access the Internet have
one of this credentials. That includes your grandmother, who hasn't
ever run Windows update and has over half of her hard drive
taken up with assorted varieties of malware. It's not going to be
at all difficult for attackers to get their hands on an
arbitrary number of "Internet passports" belonging to other
people (remember that attackers don't have any trouble getting
credit cards, which people actually do have some interest
in protecting).
The bottom line, then, is that unless I'm missing something,
it's not clear to me that fits Kaspersky's description is likely to be particularly
useful.