[6265] in cryptography@c2.net mail archive
Ellison & Schneier on authentication, private information
daemon@ATHENA.MIT.EDU (David Honig)
Mon Dec 13 22:39:25 1999
Message-Id: <3.0.5.32.19991213182848.007c8390@pop.sprynet.com>
Date: Mon, 13 Dec 1999 18:28:48 -0800
To: cypherpunks@algebra.com, cryptography@c2.net
From: David Honig <honig@sprynet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Ellison & Schneier point out in their PKI paper that
to verify a person, you need shared information
which isn't public --unlike most of
the data the credit companies keep. Your mother's
maiden name really doesn't cut it any more.
This is right on the mark.
In conversation where natural voice biometrics
aren't used (e.g., email) you can verify
that a person is who they claim
by using shared meatspace history
as your shared secret. "Hey, remember that
time..."
But many people document their lives
on line; the blooming of narcissism
or expression, take your pick. Imagine
spoofing an identity by using inferences
made from say, their Burning Man (tm) or family
online photos and stories or images autoretrieved
from the zillions of public-area webcams coming
soon to an area near you. "Yeah, my Joe Jr. went
to 2nd grade with your Jane in '98.. are her braces off yet?"
(Of course, if a mutant spoofs a normal, this
self-documentation could be self-protective
disinformation; info-mimicry. It would act as a 'honeypot'
to catch the casual faux-familiar.)
