[Cryptography] Secure universal message addressing

aestetix aestetix at aestetix.com
Wed Apr 6 01:26:02 EDT 2016 

On Tue, Apr 05, 2016 at 11:09:20AM +0200, Natanael wrote:
>- Sent from my phone
>Den 5 apr. 2016 09:17 skrev "John Gilmore" <gnu at toad.com>:
>>
>> > The key idea here is that you get to have *one* identifier for yourself
>> > under your control, that you can use everywhere, securely.
>>
>> The key idea here is a bad idea.
>>
>> I don't want everyone I interact with to have the same identifier for
>> me.  That's the problem with Social Security Numbers.  With a single
>> identifier, all the interactions with me can be cross-correlated to
>> track me everywhere I go.  Typically this is done NOT for my
>> benefit, but to give some third party an advantage over me.
>
>No problem. This is a per-nickname identifier. Use temporary disposable /
>throwaway accounts or context specific accounts if you wish. Then you won't
>have everything linked to the same account.

The problem with "nick-name" is it assumes all the names are tied to a "real" name.

Another problem with having a single root or key identifier: who decides what it is? Being able to pick your name has a lot of power to it, and handing that agency over to a third party also hands that power to them. This is one of the reasons that prisoners are often assigned a number they are required to use instead of their names.

If I am going to interact with multiple services, I want control over how I do that interaction. Forcing me to use names that branch off a single origin point defeats the entire purpose.

>
>> > OpenID essentially died. So did Mozilla's Personas. A bunch of RDF based
>> > protocols too. And many many more.
>>
>> And, from my point of view, this is why they died.  I had zero
>> interest in helping third parties keep track of me everywhere, using
>> the same identifier on widely varying sites.  It's already hard enough
>> work to keep Google out of my underwear when I don't even have an
>> account with them.  If I had the same account everywhere?  Let's not
>> go there.  "Login with your Facebook account?"  No thanks!!!
>
>The type of tech Mozilla Personas (or U2F) was using to anonymize the original
>account you connected with can be reused, although that would break the
>universal addressing aspect.
>
>Or how about this - you can link multiple profiles / personas / nicknames to
>your account, including creating throwaways, and get to chose which one to link
>third party services too when you register with them.
>

>_______________________________________________
>The cryptography mailing list
>cryptography at metzdowd.com
>http://www.metzdowd.com/mailman/listinfo/cryptography

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 513 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160406/3aa16272/attachment.sig>

More information about the cryptography mailing list