Hello Paul,
This is a great post and starts to address how much of this security issue is going to evolve ... there are a couple of points that I will comment on:
> My ideas about a digital identity vault were precisely oriented
> toward solving some of the security issues over the net with state
> of the art technology. An identity vault allows everyone to know
> "you are who you say you are" over the net. That in itself is a
> tremendous step forward for national security.
Do not think of a single "vault", but numerous. If fact, there will be more vaults than we will be able to count. I prefer to relate these to "communities" of which I am a member, and the community will allow me to store my personal information ... or selective parts of it. And I will actually store parts of my identity in many communities ... in many "vaults". It is this power of distributed systems, the power of decentralization, that will be key to the success of all identity management.
> I am perfectly willing to put information into that vault that
> uniquely identifies me because I know that access to that
> information will be restricted. If I commit a crime then I expect a
> Judge to issue a search warrant to get access to the information
> that would identify me. I see the digital identity vault as
> separating me from those who have something to hide without me
> revealing all of my personal information to everyone. Clearly
> criminals will not put their identities into an identity vault!
;-) Of course they will!
"Criminals" (which of course might mean government officials, or corporate executives, or your neighbor) will belong to communities that they "trust" ... this is the basis of all relationships. So there are communities that you or I might not belong to, but the "criminals" will ...
And - this is the best part - encryption will provide the "criminal" with the protection that he/she is after. Because they will encrypt their information, using publically available strong encryption, before they store anything in a community resource. So even if the community is "searched" or "siezed" the appropriate officials will only obtain an encrypted blob of data which they will have to prove is "criminal" ...
So all this hype about the Clipper Chip, SDMI, etc. is all a big costly joke. It is very closely related to the security checks at airports ... it will derail attempts by the amatuer criminal, but do nothing to stop the more intelligent criminal.
> I don't consider it right for the state to examine my internet
> computer data transmissions for evidence of a crime using massive
> computers filtering as is done in Saudi Arabia. There has to be
> some burden of proof met before we let the state do these things.
And these "searches" can be easily defeated through the use of communities ... hiding in a crowd. If I securely communicate to a community proxy, over a protocol such as SSL, then I can hide my communication *into* the community. The monitoring might be able to be done on the *outbound* side of the community, but then the association is to the community - not the individual within the community. (And yes, I'm aware that timing of communications can be used to try to create associations, but then a heavily loaded proxy with randomized connection delays can further mask this ...)
> Digitalme and digital identity vaults are a much better way for law
> enforcement to separate the crooks from the good citizens. You
> don't have to set up a system in which every piece of data
> transmitted over the internet is screened in order to catch the
> criminals. You simply set up a system in which people such as
> myself can securely store their digital identities in a place the
> criminals will never visit.
... and "criminals" will set up their own communities, with their own storage, and will mingle this legitimate members and family. If I look at the real world, the "mafia" seems to already work in these ways ...
> I see digitalme and digital identity vaults as the city walls
> protecting the ancient civilization. Let the criminals wander in
> the internet desert because if they come into our digital identity
> vault, they are going to have to tell us who they are.
... and just as they avoid these places in the physical world, they will avoid them in the cyberworld. Which is the way it should be ... you will have the *freedom* to create communities of trust that you exist in ... and they will create communities of trust that they exist in. And in cyber-reality, you might both overlap in some community that you wouldn't have thought possible ...
> As it now stands a criminal can steal my user id and spread the
> Melissa virus --- that is the level of security that ISP's
> currently provide and that is why law enforcement is trying to
> get more powers. Our industry isn't doing it's job to protect the
> public.
The problem is the "weakest-link" syndrome ... all the security in the world will not help when the couple of people leave their doors unlocked. If your userID and Password are too hard to get, they'll find a simpler victim ...
> That is precisely why we need digitalme.
I'm looking forward to the release of the technology to the public to learn exactly how much of this functionality is going to be provided - to learn exactly what digitalme is going to be. Will this be the decentralized system of communities that is required to provide such a solution?
Scott C. Lemon |
