[Cryptography] PRISM-Proofing and PRISM-Hardening

Russell Nelson nelson-cryptography at crynwr.com
Fri Sep 20 20:34:19 EDT 2013

Salz, Rich writes:
 > I would say this puts you in the sub 1% of the populace.  Most
 > people want to do things online because it is much easier and "gets
 > rid of paper."  Those are the systems we need to secure.  Perhaps
 > another way to look at it: how can we make out-of-band verification
 > simpler?

There's probably a whole O'Reilly book waiting to be written on
identity verification, but let me say it in one phrase: "closing the
loop". That means giving information electronically, and expecting to
get it back via a different path. So, as an example, the institution
prints are magic number (also in barcode or QRcode form so you can
scan it) on a piece of paper, and mails it to your address of
record. Or they call your phone number of record and ask you to enter
a magic number.

Or they ask for a time-proof-of-work. Let's say that you've been
posting to an online forum for some time (e.g. this mailing
list). They ask you to post a magic number to the mailing list in your
signature block. Somebody like Lucky Green could use this. Or The Well
members, presuming that The Well still exists in some form.

Same idea for Facebook, Google+, a blog, your personal website
(e.g. russnelson.com), your corporate website
(e.g. http://crynwr.com/~nelson/), etc. Anything where only you can
enter information just as you have been doing for years.

--my blog is at    http://blog.russnelson.com
Crynwr supports open source software
521 Pleasant Valley Rd. | +1 315-600-8815
Potsdam, NY 13676-3213  |     Sheepdog       

More information about the cryptography mailing list