when a fraud is a sale, Re: Rubber hose attack

Mon Nov 5 12:20:48 EST 2001

not completely. except for some of the "know your customer rules" .... a
financial institution doesn't have to identify you ... they only have to
authenticate that you are the person authorized to transact with the
account; aka 1) I come in and open a brand-new account and deposit a whole
lot of money. 2) they give me a card with possibly PIN which is the only
way that is enabled for authorized transactions. They may also record some
number of shared secrets as a fall-back position (some of the
shared-secrets may involve identity information ... but that is more of a
memory mnemonic, i know people that register almost random shared-secrets
that have no relationship to their identity). No identity is involved.
Governments may require identity for other reasons ... but it is possible
to establish that it is the entity authorized to make transactions w/o
requiring any identification (using purely authentication).

That is not to say that there are various kinds of fraud involving things
like identity theft ... but it is possible to authenticate transactions w/o
requiring identity.

There are some other issues with some infrastructures involving trusted
third parties (TTPs).

I've gone into some length with regard to the discussion of TTPs and domain
name web server certificates ... aka
http://www.garlic.com/~lynn/subtopic.html#sslcerts

where, in effect because of concerns over the integrity of the domain name
infrastructure, digital certificates have been introduced. Note however,
TTPs normally are not the recognized authoritative entity with regard to
domain names .... TTPs just "certify" that they've checked with with the
authoritative entity with regard to whatever they are certifying when they
manufactor the digital certificate.

Now, who is the authoritative entity for domain name information that TTPs
check with when they are manufactoring a domain name web server
certificate? It is the domain name infrastructure. As a result of integrity
concenrs there are also integrity concerns with regard to the domain name
infrastructure from TTPs (because they effectively rely on the same
authoritative agencies that people are concerned about with regard to
normal operation). Now the interesting part is that there are proposals
that would fix the integrity problems of the authoritative domain name
agency ... the domain name infrastructure .... however, if those proposals
were implemented, it would also correct integrity concerns regarding the
domain name infrastructure for the rest of the world ... elminating the
desire they have to have domain name web server certificates as a means of
compensating for the integrity issues with the domain name infrastructure
(which is also the authoritative agency for domain names that the TTPs
check with in order to certify domain names in manufactored certificates).

johnE37179 at aol.com on 11/05/2001 10:01 AM wrote:

I think you have nailed it on the head. When authentication is viewed as
the
"first link" in the chain instead of identification. The problem with all
authentication technologies in use today from biometrics to PKI to digital
certs, all finesse the identification process and push it off to some
"trusted" third party...all without clearly defining what that third party
must bring to the table.

John

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com