Devon H. O'Dell wrote: > 2010/6/29 Wes Kussmaul : > >> Stanley Lieber wrote: >> >>> Anywhere legitimate identification is used, legitimate identification can >>> be purchased. >>> >> There are imperfect but very good ways to protect against that >> vulnerability. They vary with the needs (and budgets) of relying parties. >> > > I'm pretty sure you can't solve the problem. At the end of the day, it > boils down to client-side security and what a person is willing to > defend with their life. It's perfectly feasible to assume that > identity information in a PKI world can be coerced and stolen as > easily as physical identity information such as drivers licenses and > social security cards. The security always breaks down at the personal > level, and most private individuals aren't willing to die to protect > this information. > > But you can do at least as good as these forms of ID. PKI requires > knowledge of some sort of passkey. (I just worry about identification > for people who are not smart enough to pick a good key. Which, > unfortunately, is also most people It's true, people give up their ATM card PINs at gunpoint. Guns are a problem, especially where people tend to still use currency. Online, not so much. Possession is still the most effective factor. As our site points out, ------------------------------------------------------------------------ After spending millions of dollars on network security, corporations still have major security problems. Meanwhile, your ATM card allows your bank to dispense cash with confidence from a machine on a city sidewalk. The technology used by your ATM card is more ancient than the floppy disk. So why are bank ATM networks generally secure, while corporate information networks, in spite of continuous investment in the latest security technology, are barely able to keep ahead of intruders? The difference is not about technology. The difference is about assumptions and architecture. Your bank's ATM network starts with the premise that knowing who you are is the foundation of security. If a trusted co-worker asked you to share your ATM card and associated PIN, what would you say? Of course, they would never ask in the first place. If that co-worker asked you for your network password, what would you say? In many companies, collaborative work gets done by sharing access credentials, in spite of rules against it. -- Learn about The Authenticity Economy at http://video.google.com/videoplay?docid=-1419344994607129684&hl=en#