[1564] in RISKS Forum
Re: Risks Digest 21.15
daemon@ATHENA.MIT.EDU (Simson L. Garfinkel)
Thu Dec 21 13:27:45 2000
Message-ID: <000f01c06b7c$3ed77c00$aa27113f@slgpcg>
From: "Simson L. Garfinkel" <slg@walden.cambridge.ma.us>
To: "RISKS List Owner" <risko@csl.sri.com>, <risks@mit.edu>
Date: Wed, 20 Dec 2000 22:07:24 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
> Date: Sun, 18 Dec 2000 22:00:11 PST
> From: "Peter G. Neumann" <neumann@csl.sri.com>
> Subject: Another DMV Break-in, in Oregon
>
In the mid 1990s, Pitney-Bowes developed and demonstrated a system for
digitally-signed drivers licenses. I believe that the system was called
VERITAS, but I could be wrong. The system provided for a 2D barcode on the
back of each driver's license. The barcode contained a digitized copy of the
driver's photograph, name, address, height, age, etc. The 2D barcode was
signed with the digital key of the day, which itself was signed with the
system key. I believe that the system key was changed every year.
The company's business plan, I believe, was to basically give away the
identity systems to state governments and then to sell verifiers to stores,
restaurants, bars, etc. You would slap a person's driver's license down onto
the verifier and it would display their photograph and tell you if they were
old enough to drink, etc. It would also verify the signature.
The Pitney-Bowes system was specifically designed to prevent the
break-in-and-steal-it problem. Each morning the systems in the field would
call up and get their key-of-the-day signs by the system-key. If a system
was stolen, those systems wouldn't get signed. If they actually issued
fraudulent cards, you could blacklist those cards and distribute the
blacklist to the verifiers. You could even use caller ID to make sure that
you wouldn't issue certs the phone number it was calling from wouldn't match
the caller ID, and the system wouldn't issue a key.
I saw this system at the RSA conference in 1993 or 1994. I was quite
impressed. But Pitney-Bowes never sold it. I believe that there was a patent
infringement problem.
