authentication and authorization

Anne & Lynn Wheeler lynn at garlic.com
Wed Jul 7 12:25:02 EDT 2004 

At 09:20 AM 7/6/2004, Anton Stiglic wrote:
>Well, there is nt established technical definition for "digital identity",
>but most definitions seem to focus to what I defined it as.


there is actually a whole series of issues.

the identity x.509 certificates from early 90s were targeted at stuff that
appeared to be totally unrelated to existing business processes and 
environment.

given the scenario that existing business relationships and permissions have
been established .... there is requirement to asserting access to those 
permissions
(some means of asserting some identification associated with the permissions
and some means of authentication or substantiating the rights to the 
permissions).

identity x.509 certificates have been totally unrelated to such a business
environment ... although attempts have been made to contort them into
that use. the original premise was that the identity x.509 certificates
could be used by parties that previously had no direct knowledge of each
other and could make use of the x.509 certificates w/o needing any recourse
to any additional information. one problem was a random name from
some place in the world had no context or meaning to some other random
entity some place in the world.

putting a person's instantly  changing available balance in the certificate
might do. however this had (at least) two problems 1) it could be considered
privileged information that deemed not advisable in public certificates
with copies all over the planet and 2) with possibly thousands of each
such certificate cached all around the world .... there was some issue
with instantaneously and dynamically updating all copies.

so in the mid-90s there was some retrenchment to relying-party-only
certificates ... which basically only contained an account number and
the public key. the transaction always went to where the permissions
and other important information was available. However it was trivially
possible to show that in such situations, the certificates are redundant
and superfluous.

The majority of the business infrastructures in the world don't need
free floating and complete personal information contained in a certificate
about random and totally unknown entities. The need a non-static-data
authentication paradigm to replace the static data authentication paradigm,
i.e. simply replace pin/password with public key and digital signatures.

--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/ 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list