Forms of identity, and back to Open vs Closed

Nicholas Bohm nbohm at ernest.net
Thu, 17 May 2001 18:30:33 +0100 

At 18:15 17/05/2001 +0100, Parker Tom TA wrote:
>Ian,
>
>>Trying to get vaguely back on topic, for most purposes identity does not
>>need to be known, rather you want to authenticate some attribute of that
>>entity, (e.g. is a qualified medic). Identity in one form or another 
>>allows these attributes to be collated or used for other purposes 
>>(particularly by the state) way too easily.
>
>Nice to see an email on this thread that's still on topic ;-)
>
>Personally I think we should all avoid the term "identity", which is
>misleading. There's no such thing as identity (as Margaret Thatcher might
>have once said!). There are just attributes, such as birth-name, address, NI
>number, DNA fingerprint etc. To say "identity attributes" is better, though
>even then there are attributes whose relationship to identity are
>borderline, and anyway there's no such thing as identity ...

I suggest "identity" can usefully be seen as a relationship.  If I am
buying a house, I want to be sure that the seller I am dealing with is the
same person as is recorded as the proprietor in the land registry, i.e.
that in this sense there as an identity between them.  I think this is
quite often the sort of identity that is useful.

Unfortunately it often aligns poorly with what general purpose "identity"
certifiers can offer, since they can do name and address, but in property
registers these often turn out to have changed over time without any change
in the underlying identity relationship (e.g. by usage, on marriage, etc).

For this sort of reason it remains to be seen whether there is a real
money-earning business in certificate issuing.

>What I do believe is important is that there are attributes that can be
>assessed/verified by TSPs in an open PKI system that will appear in
>certificates that will be useful to both the subscribers and relying
>parties. After all, the TSP is simply doing the same sort of job as the
>relying party would have to do anyway, and in a sense the relying party is
>just treating the TSP as an externally hired (for free - since the
>subscriber pays) agent. There are plenty of non-PKI examples of agent
>attribute verification happening in real life, it's just that the results
>are not so public. So provided that the attributes concerned don't raise
>unacceptable privacy concerns, and many of them, for many people, would not,
>there is a useful purpose to be served.

But given the variety of attributes and the probable difficulty of
establishing formal standards covering their verification in all the ways
that people want to verify them for themselves, it remains uncertain
whether building and maintaining a widespread interoperable collective of
PKI systems will turn out to pay.  Watch Baltimore's share price.

Regards

Nicholas

Salkyns, Great Canfield,
Takeley, Bishop’s Stortford CM22 6SX, UK

Phone	01279 871272	(+44 1279 871272)
Fax	01279 870215	(+44 1279 870215)
Mobile	07715 419728 (+44 7715 419728)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF