Wednesday, January 19, 2005

Human integration and Instantiation

Kim Cameron's now posted the Sixth Law of Identity:

The Law of Human Integration
The universal identity system MUST define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms offering protection against identity attacks.



Kim explains what he's getting at: "...we have done a pretty good job of cryptographically securing the channel between web servers and browsers - a channel that might extend for thousands of miles. But we haven't done a very good job at all of setting up the two or three foot channel between the browser and the human who uses it. And this is the channel that is attacked by phishers."

But he seems to posit that any transaction with an identity component would involve human interaction - that would be a tremendous step back into the dark ages! We've had machine-to-machine transactions for 40 years and more, why should we stop now? It's also true that identity transactions will not necessarily take place within a web browser.

Still, if you modify the language a bit, requiring unambiguous communication when a human is involved in the transaction, it might be more palatable.

However, there's a danger of a tautological transaction as an unambiguous exchange is needed to authenticate the user to the identity store so that the user can be authenticated!



Comments:
> Still, if you modify the language a bit, requiring
> unambiguous communication when a human is involved in > the transaction, it might be more palatable.

Risk analysis for phishing attacks might also conclude
that the user should not be the 'trusted' component
for certain operations. Thus a theoretical identity
system might wish to protect certain information
about the user, such as credentials and account
identifiers, from accidental disclosure by the user,
e.g.
http://www.shcl.co.uk/news_article.asp?pageid=2141
by not letting the user see this data in the first place, or only allowing it to be accessed under
certain conditions a la DRM.
 
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved

Home

[Powered by Blogger]

-->