[Cryptography] Follow up on my password replacement idea

Bill Frantz frantz at pwpconsult.com
Wed Sep 23 17:37:07 EDT 2015

On 9/23/15 at 1:04 PM, bear at sonic.net (Ray Dillinger) wrote:

>Unfortunately a lot of the biggest stakeholders have a vested
>interest in tracking that traffic information.  The people who
>actually make a living from advertising and ad brokering are the
>same people who invest in development and work on standards, and
>they absolutely do not want a world in which they cannot get at
>the traffic information.

Our current Net is funded by advertising. I think that any 
privacy solution which does not support advertising will fail in 
the market place.

How can we support advertiser's interests while protecting the 
users' privacy? Can we have the advertiser's privacy sensitive 
algorithms run in a confined place where they can not leak 
information about individuals? Can we audit their systems to 
show that they keep private information private? Are there other ways?

If targeted advertising lives up to its promise, I think I would 
find it much more tolerable than the shotgun stuff that crosses 
my screen now. It even runs the risk of being interesting and 
distracting. Perhaps there is a grand bargin between net users 
and advertisers. Make advertising interesting and fun enough and 
we'll recognize that it is the price we pay for a "free" Internet.

>As far as I can see trust relationships are binary.  That is, every
>pair of parties has a separate trust relationship, and attempts to
>mediate it all through a universal trust brokerage such as a PKI are
>at best difficult and at worst counterproductive.  If trust is
>binary, we might as well be using symmetric-Key crypto and all of
>our key managers darn well ought to support symmetric key crypto.

Trust relationships are much more complex that just binary. When 
my lawyer introduces me to his paralegal, I automatically assign 
the same level of trust to her that I have in him. Ont of the 
new items of trust is I trust her to know when to kick things 
upstairs to him.

When I go caving with a new caver, my trust in her is based on 
her reputation in the caving community. Here many people 
contribute to the trust. It is only after I have decided she is 
trustworthy enough for the trip we are planning that I actually 
go on the trip and observe her underground.

>>Solid authentication is the one place where we really need to leak a ton of
>>information, preferably only to a semi-trusted third-party.

How far can we get not using authentication of individuals? We 
are seeing increasing use of "Web Capabilities", where the URL 
gives everything needed to authorize and perform the request. 
These URLs don't need user authentication in the classic sense. 
The can be shared between more than one individual when needed. etc.

Cheers - Bill

Bill Frantz        | "I wish there was a knob on the TV to turn 
up the
408-356-8506       | intelligence.  There's a knob called 
"brightness", but
www.pwpconsult.com | it doesn't work. -- Gallagher

More information about the cryptography mailing list