Forms of identity, and back to Open vs Closed

[Parker Tom TA]

Ian,

>Trying to get vaguely back on topic, for most purposes identity does not
>need to be known, rather you want to authenticate some attribute of that
>entity, (e.g. is a qualified medic). Identity in one form or another 
>allows these attributes to be collated or used for other purposes 
>(particularly by the state) way too easily.

Nice to see an email on this thread that's still on topic ;-)

Personally I think we should all avoid the term "identity", which is
misleading. There's no such thing as identity (as Margaret Thatcher might
have once said!). There are just attributes, such as birth-name, address, NI
number, DNA fingerprint etc. To say "identity attributes" is better, though
even then there are attributes whose relationship to identity are
borderline, and anyway there's no such thing as identity ...

What I do believe is important is that there are attributes that can be
assessed/verified by TSPs in an open PKI system that will appear in
certificates that will be useful to both the subscribers and relying
parties. After all, the TSP is simply doing the same sort of job as the
relying party would have to do anyway, and in a sense the relying party is
just treating the TSP as an externally hired (for free - since the
subscriber pays) agent. There are plenty of non-PKI examples of agent
attribute verification happening in real life, it's just that the results
are not so public. So provided that the attributes concerned don't raise
unacceptable privacy concerns, and many of them, for many people, would not,
there is a useful purpose to be served.

Regards,

Tom.


> -----Original Message-----
> From: Ian Johnson [mailto:Ian.Johnson@uwe.ac.uk]
> Sent: 17 May 2001 14:48
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Forms of identity (Was RE: Open versus closed 
> PKI systems)
>[SNIP]