From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <4C2A29B0.7000501@authentrus.com> References: <4C295A3E.30403@authentrus.com> <4C2A29B0.7000501@authentrus.com> Date: Tue, 29 Jun 2010 13:27:01 -0400 Message-ID: From: "Devon H. O'Dell" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [9fans] offered without comment or judgement Topicbox-Message-UUID: 38f1cff4-ead6-11e9-9d60-3106f5b1d025 2010/6/29 Wes Kussmaul : > Stanley Lieber wrote: >> >> Anywhere legitimate identification is used, legitimate identification can >> be purchased. > > There are imperfect but very good ways to protect against that > vulnerability. They vary with the needs (and budgets) of relying parties. I'm pretty sure you can't solve the problem. At the end of the day, it boils down to client-side security and what a person is willing to defend with their life. It's perfectly feasible to assume that identity information in a PKI world can be coerced and stolen as easily as physical identity information such as drivers licenses and social security cards. The security always breaks down at the personal level, and most private individuals aren't willing to die to protect this information. But you can do at least as good as these forms of ID. PKI requires knowledge of some sort of passkey. (I just worry about identification for people who are not smart enough to pick a good key. Which, unfortunately, is also most people. --dho