[cap-talk] Webkeys vs. the web

Rob Meijer capibara at xs4all.nl
Mon Mar 30 03:46:12 EDT 2009


On Mon, March 30, 2009 01:54, Sam Mason wrote:
> On Sat, Mar 28, 2009 at 02:31:03PM +0100, Rob Meijer wrote:
>> I feel the whole use of name/password for proof of identity concept has
>> grown into a usability nightmare. The main reason why it persists IMO is
>> inertia and familiarity, and the idea of many that familiarity equates
>> usability. With the alternative openid and the like not really picking
>> up,
>> I feel the capability community might have a bit of a shot of coming up
>> with a REAL solution for the problem before we end up getting stuck in
>> yet
>> an other identity based nightmare like openid. That is if we can shake
>> the
>> identity premises ourselves. I feel that we really need to step away a
>> bit
>> from the mobility of identity and aim for mobility of authority.
>>
>> In my view a smart phone or other networking enabled hand held device
>> with
>> the right software could be considered the ultimate portable bookmark
>> tool, and the ultimate tool of delegation.
>
> This initially strikes me as a slightly naive view; how much effort is
> currently expended on trying to just get credit card details, if an
> attacker could get their hands on something that instantly gave them
> someone's authority (until minutes, or more likely hours or days, later
> the device was revoked) how much more effort would be expended?
>
> I then thought; but this is how reality works (or at least used to work)
> our identity is the sum of our observable attributes.  We always have
> the same set of attributes, i.e. our appearance, style of communication,
> daily routines, that people use to identify each other.  Why can't
> something similar be done with computers.
>
> I think the reason is that identification is never completed in reality;
> you start with an idea of who someone is and you refine this the longer
> you know them.  As soon as they start acting differently you become
> suspicious and your level of trust reduces.  This is complicated by
> the fact that there are too many observable attributes to record
> so everybody picks a different set of attributes.  An impersonator
> would have to do a sufficiently good job of duplicating what they had
> observed about the individual, yet they would have little idea about
> what attributes are going to be important when they have to perform the
> impersonation.
>
> I have a feeling that multiple passwords (at least) are going to be the
> only tractable solution for quite a while yet.

My main concern is not actually with passwords, it is with dividing
authority up using the static domain+username identity compartments, and
allowing proof of identity to be used in a mobile way with untrusted or
less trusted workstations. Any 'solution' that puts a focus on identity
and the mobile usage of identity IMO is simply missing the base values of
POLA.
We need to work towards a solution that allows a person to delegate
bundles of revocable 'authority' in a mobile way. If this requires
passwords, that is OK.As long as this password is not used as proof of
identity.

What I proposed was along the following line:

1) The service Alice bundles some authority for an entity with the Bob
   identity.
2) On proof of Bob identity (client certificate? ), Alice delegates the
   authority to the entity that is providing this proof.
3) Alice allows the holder of the bundle of authority to decompose,
   recompose and create membranes for the authority. The holder of the
   raw authority bundle uses this to create a more appropriate membrane
   authority.
4) The holder of the Bob identity delegates the more appropriate bundle of
   authority to a mobile device Carol. The mobile device stores the
   authority, possibly behind a password protection if you like.
5) The owner of the Carol device wants to use some sub authority from a
   foreign machine 'Mallet'. He uses the Carol device to access Alice and
   further decompose the already limited authority into a singe usage
   session bound auto revoked authority bundle. This authority is delegated
   to Mallet.
6) The user uses the Mallet machine to access the Alice service. Mallet has
   no knowledge of the Bob identity, and after usage, no more access to the
   sub authority that was temporary delegated to it.

I can imagine simular solutions without a mobile device and with
passwords. As long as you can stay away from identity and non auto revoked
authority, we could I feel do much better than password based proof of
identity solutions.

Rob



More information about the cap-talk mailing list