More silliness on Internet credentials

| Comments (7) | COMSEC
For some reason, the silly idea of universal personal authentication for Internet users seems to have an undue appeal on tech executives. Here's Barbara Kiviat reporting on Microsoft's Craig Mundie:
What Mundie is proposing is to impose authentication. He draws an analogy to automobile use. If you want to drive a car, you have to have a license (not to mention an inspection, insurance, etc). If you do something bad with that car, like break a law, there is the chance that you will lose your license and be prevented from driving in the future. In other words, there is a legal and social process for imposing discipline. Mundie imagines three tiers of Internet ID: one for people, one for machines and one for programs (which often act as proxies for the other two).

...

Mundie pointed out that in the physical world we are implicitly comfortable with the notion that there are certain places we're not allowed to go without identifying ourselves. Are you allowed to walk down the street with no one knowing who you are? Absolutely. Are you allowed to walk into a bank vault and still not give your name? Hardly.

This is one of those ideas that comes up so often and initially seems like a natural analogy, but on closer inspection just starts to look confused.

First, a drivers license isn't principally a form of general purpose authentication but rather a permit from the state to drive. It has a biometric component in order to permit the police to determine that you're the actual holder of the permit and not someone who just has their license. Of course, because the license is so ubiquitous, it's widely used as a form of general ID, but if you do something to lose your license, the state will still issue you an identification card; indeed you can generally get an id card even if you're ineligible to drive. (Here's what California has to say). So, on the one hand Mundie says you don't have a right to complete anonymity (which I at least sort of agree with) and that his proposed Internet driver's license would serve as a form of ID and on the other hand, he suggests that you could lose your right to use the Internet for some unspecified set of misbehaviors. So, which is it, a permit or a form of ID?

Second, if it's a permit, under what conditions might it be revoked? Having your machine compromised? Failure to keep your software updated? If it's just for bad system hygiene then you're going to see a huge number of revocations. If it's for actual malfeasance then aren't you just going to revoke the licenses of people who would be in serious legal jeopardy in any case? Internet security problems come from two kinds of users: those who are genuinely malicious and those who are just careless. The problem with the first is finding them, not punishing them once you've done so. As for the second, revoking their right to use the Internet seems rather excessive.

On the other hand, if the idea is to just have a form of ID, then I don't really see why we need something government sponsored. Can't sites decide for themselves whether to to try to authenticate you?

7 Comments

If you want to make money from your twitter account, go to see this video !

If you want to make money from your twitter account, go to see this video !

If you want to make money from your twitter account, go to see this video !

If you want to make money from your twitter account, go to see this video !

If you want to make money from your twitter account, go to see this video !

Can't sites decide for themselves whether to to try to authenticate you?

And this isn't largely what they are doing? - just not in a particularly cohesive manner. After all, user authentication and federation is rife with hard problems and privacy concerns. I think that we are already attempting to head in this direction and that anything more integration or ubiquitous (especially if tied to access to network rights) is fraught with regulatory problems and general acceptance.

Can't sites decide for themselves whether to to try to authenticate you?

And this isn't largely what they are doing? - just not in a particularly cohesive manner. After all, user authentication and federation is rife with hard problems and privacy concerns. I think that we are already attempting to head in this direction and that anything more integration or ubiquitous (especially if tied to access to network rights) is fraught with regulatory problems and general acceptance.

A related post from Bruce Schneier.

Leave a comment