Wednesday, 7 July 2010

Identity assurance - light in the tunnel

In my previous blog post I talked about the new initiative in the USA. My friend Jussi pointed me to ENISA who have been working on proposals for Europe wide eID cards. I plan to read these documents and work on a proposal for international wide identity assurance system that will fight cybercrime.

As a teaser what is coming, image:

"It is year 2021.
Case 1:Janet starts her work day with her computer. She logs in to the computer with her phone and then accesses the project website. Her phone contains an identity from her government, something like ePasspport, and she uses that to authenticate herself everywhere. When she fires up a web browser and accesses site, all her IP packets (IPv6) are signed with her identity. Hence she does not need to authenticate to the Facebook separately. When she sends an email, it is signed automatically. She has no worries about privacy as the system automatically send the bare minimum of information necessary for her to prove who she is or what she is".

Case 2:Nick, a cyber criminal, has tough times these days. He is desperately trying to find an ISP that will not block IPv6 packets that are not signed with his digital identity. Yes, he could steal someone else's identity, possibly, but the system would quickly discovery that that identity is used elsewhere and shut it down.
He finally finds a roque ISP that charges him $1500 for an hour of un-athenticated session. To his horror, all his packets are blocked by upstream ISPs and the roque ISP is disabled in the Internets' BGP peering tables. Nick has just lost $1500 and gained nothing. He better find some normal job to make living.

Case 3: Claire, bored business executive, wants to create new profile on Facebook2020. She would like to pretend she is 16 and chat with teenage boys. When she start filling her new profile data, the age is automatically selected and she cannot change it. It is part of Facebook2020 policies that users cannot modify their age. The age is provided as an attribute by her ePassport identity. "

Far fetched? Not if we design a system that will deliver right level of privacy, identity assurance and automated protection.

Watch the space
Categories: ,


Post a Comment