[Cryptography] People vs AI

Jerry Leichter leichter at lrw.com
Tue Mar 4 06:48:06 EST 2025 

> …There's also the problem that the identity is usually associated with a device,
> and the device might not always be in the posession of the person who the
> identity is supposed to be. My phone is constantly asking me to prove that I am
> me with a figerprint befure it uses stored identities, but that is a pain and
> there are ways around it.
Which suggests that we’re asking the wrong question.  And we’re doing that because we have the wrong mental model.

Think about what happens in the physical world.  When you’re standing in front of me, I know who you are … if we’ve met many times before and reasonably recently, and only if I need to recognize you from among a reasonably small group of people, say a few hundred at most.  When I can’t assume those features, I ask for identification. Acceptable identification has to be hard to forge, and somehow needs to be tied to “you,” whatever that means:  Just physical possession, a signature match, a picture, a fingerprint, whatever.  In fact, in high-security applications, if my job is as a guard I’ll insist on the ID even if I’ve let you in the door every day for the last five years.  So what exactly is being identified here?  You?  Your card?  The pair of you and your card?  What does that last even mean?

Of course, the whole reason I’m employed as a guard is so that those inside the facility I’m guarding don’t have to check your ID in every transaction.  Which only works as long as there’s no back door that lets people bypass the guard station.  Your phone is that guarded area.  If we could be sure that there was no back door - someone grabbing the phone out of your hand while it’s unlocked - it would never have to ask for you to identify yourself again.  Indeed, for better or worse, the Apple Watch never asks for secondary ID as long as it senses continuous contact with your wrist.

But note what’s happened here:  We started with an unambiguous notion of who a person is, but rapidly, even in face to face encounters, moved to some person-plus-card combination to proxies like “present beyond the guard station” or “wearing the right badge.”  Except in very simple circumstances, it’s never directly about the identity of a unique person.  And, of course, in any remote interaction, it never could be.

                                          -- Jerry

More information about the cryptography mailing list