[Cryptography] After Equifax pwning, what is the best means for replacing the SSN?
Benjamin Kreuter
brk7bx at virginia.edu
Wed Sep 13 20:10:19 EDT 2017
On Tue, 2017-09-12 at 14:23 -0400, erik wrote:
> Hello. Equifax was pwned, and I'm sure you all already are aware.
>
> It make syou wonder, however, why a single 9-digit number is capable
> of such
> destruction. Why is your identity 9 digits long?
It was not supposed to be, but, much like driver's licenses, it was
convenient. I suspect that any government-issued identification would
wind up being used in this manner unless it was impossible (i.e.
cryptographically hard) for non-governmental entities to verify or
track. When social security numbers were introduced, that would have
been difficult, but today we have the technology to create such things.
> Sure, there are birth certificates as well, but the social security
> number is
> quite a strange phenomenon.
Not really -- it is short and hard for people to change. Birth
certificates are cumbersome by comparison. Driver's licenses are
something people carry with them, which is why, despite being equally
cumbersome, they wind up being widely used.
> So, here's a challenge for you guys if you're interested: Replace the
> social
> security number as a means of identification, and do it in such a way
> that
> meets some basic criteria.
>
> -It has to not be completely objectionable and possibly evil (ie, a
> universal
> identification card
Universal ID cards are not objectionable to most people; again,
driver's licenses basically act as this in practice. Passports are
also commonly used for this purpose.
> -It has to be suitable for not just applying for Social Security
> benefits, but also for applying for loans, mortgages, etc.
Why? Banks are more than capable of keeping track of their customers;
social security numbers are just one of many ways that banks do so, and
I doubt most banks would have difficulty dealing with customers not
having one.
Frankly, I would rather not have to use the same ID for both government
business like social security and for my everyday banking. I would
rather have to deal with fewer things in the event of an ID being
compromised. Recovery from compromise is missing from your list of
requirements; it should be considered as important as being hard to
forge, given that this system needs to be used by the general public.
-- Ben
More information about the cryptography
mailing list