Slashdot Mirror

First Read:
http://xns.org/i-names-explained.html
http://xns.org/xri-and-xdi-explained.html
http://www.xdi.org/

The premise is that you pay for a pseudo-permanent identity in cyberspace.

What else have you got? If you don't have your own domain somewhere, that can often times be taken down by your ISP "just because", what else do you have? Your email address. That's pseudo-permanant, right. Is it 50 years permanant? Maybe.

So you tell everyone your email address for a pseudo-permanant identity - great! .... wait. You've got spam! What if you have to change it?

Will that email address cost you more than $25 over 50 years? 9 times out of 10 people will spend significantly more than that to maintain an email address with any kind of permanancy. And they'll get spammed all the while because the identifier is directly tied to the delivery method. You can't tell someone who you are without giving them a direct line.

XNS is a global public database that people can go to if they want to find you, just like DNS resolves mabu.com into the IP address your server is at. Not a global public database that contains all the juicy bits, just who's got the goods. Can you imagine being tied to the same IP address for the life of your domain name???? We all want to be able to move but nobody wants the trouble of keeping every single contact you've ever had informed of your new location.

This system makes it like this: If you want to find me ask my broker. He'll get in touch with me and make sure I still want to talk with you, then either I'll tell him "sure - let him know where I'm at." OR "Thanks for trying to get in touch with me. I'll call you."

You can give your broker a whitelist. All these people (your brother, parents, some old school friends) - tell them whatever they want to know. An offwhite list (you can keep a list of individuals, any from *@alumni.school.edu, how "connected" they are or based on reputation) - feel free to give these people my email but I don't want them knowing where I live. A blacklist tells your broker never to give out any information to (=these, =people, =and.weird, =relatives, =and.old, =girlfirends) And on and on.

The global part points anybody in the world to the place where the goods are at, just like how the root DNS servers point to the "authoritative" DNS box you run on your own net. You can change things there and when people come looking you feed them whatever you want - YOU STAY IN CONTROL.

The whole broker thing... You choose a broker you can trust. Right now there is only one, 2idi.com. Not to say you couldn't start up your own. Granted you'd have to get people to trust you if you didn't want your service to fall flat on it's face, but you could do it. Maybe run one for your family or business. Thawte could do it. CACert could do it. Your bank could be your broker. Whoever you trust to handle your personal information, THEY would be your broker.

Sending $25 and your credit card and your email address to 2idi.com is not a requirement to use XNS. At this point they're the only game in town so if you want a particular =i.name, it's pretty much a race. They stick for 50 years.

More (from 2idi.com)...
Basic Terms of Use for your I-Name

* Once registered, you can use your community personal i-name as long as you adhere to this agreement and any applicable laws.
* You can keep your i-name for as long as your community maintains a relationship with an i-broker. You can also add other community or global i-names to your account that can act as synonyms for your community i-name.
* The community i-name registry is public. It does NOT contain any of y

Well, it's not like it's real hard for me to spoof a Windows dialog box asking for your administrator password (and I bet most users would give it, even though Windows has no concept of 'sudo'), or even telling you that your Internet Connection is too slow.

But it's not just OS X - any OS that has a GUI equivalent of sudo (which now includes FC2, RHEL, SuSE, among others) is easy enough to spoof with a dialog box. FC2 and RHEL just have some python libraries you import, and you're all set, and you get a userhelper dialog, just like the one displayed by the system utilities (system-config-packages, for example), and off you go.

The thing is, there is no good way around this. "Certification" is a problem, since getting your program certified (well, getting the CA) costs a *shitload* of money (yes, yes, CAcert, I saw them at USENIX too, except I wasn't real comfortable having my driver's license scanned by a bunch of people I'd never met), and that would rule out the smaller developers. Plus, it's not like the CA used to sign the programs can ever get stolen, or anything (*cough* Microsoft/VeriSign *cough*).

A key combination (like how XP claims pressing Ctrl-Alt-Del to log in makes your computer "more secure") is a pretty stupid idea, and anything will be able to intercept it before the OS does if it tries hard enough.

The best thing I can think of is that unless the software is produced by Apple (verified via some key), the dialog box to request the admin password says something that says "Admin privileges are being requsted by foo.pkg/bar.app located at /Users/joeuser/Desktop/downloadz. According to the metadata, this is required in order to install the following files or do the following operation. This software claims to be produced by FooCorp, at the URL www.foocorp.com". And then maybe that might make the user think harder about what they're doing. Sure, there's no reason why you wouldn't be able to fake it to look like Word or iDVD or something, but hopefully users might take a second or to and think "But, wait, I *have* iDVD, why am I installing a new version". And those that don't are going to get screwed anyway by giving all their money to the son of the former president of Nigeria, or by replying to "Citibank"'s request for their account number and PIN.

Really, I'm convinced education is the only way to fix this. What would be kind of cool would be like what the Justice Department did with online pyramid schemes - setting up fake web pages that lured people in and then told them that they could have been duped and lost millions if they clicked on the "Click here to sign up" link. Apple or someone could make a package that purports to be 10.4 preview release, yet has spelling errors and l33t-speak in the installer text, and then when you give it your admin password, it tells you why you're a moron and how not to do that in the future. But I suspect that wouldn't go over well - people don't like having stupidity pointed out to them.

Oh, but you have to pay to get X.509 certificate from some trustworthy CA. Self-signed certificates say just nothing about your identity. The solution: CAcert - it's a CA, which is using web of trust to verify identity of users, and it's free.

If *everyone* would just get valid, signed certificates to authenticate themselves as a given entity with a given email address, then *everyone* could turn on a switch in their mail client that says "reject all mail that isn't signed with a cert which matches the sender's address and that's signed by an authority I trust".
that wouldn't be free & decentralised anymore.
if you want to have the ability to receive messages from total strangers, you have the ability to receive totally useless messages(spam) from them as well.

Isn't this basically what CACert is all about? I would think if you got a CACert by proving your identity to local CACert agents, you could then just use your private key and somebody elses public key to essentially encrypt and "sign" pieces of digital identity for another party to discover. This could work very well with websites as you could basically give the website SSL key the right to view a few things about you without having to fill it in all the time.

You could use CAcert and their certificates as required identification.

The security of the protocol itself is just fine; it's the surrounding factors that make it hard to use, especially for someone who hasn't thought about these things well enough ahead of time.

From their website:

How does the Assurance Programme work?

There are two main steps. Firstly, when you join the ECCP, you will be asked for some identifying details, including the number of a nationally recognised piece of ID, such as a passport. We will protect your details according to our Privacy Statement.

CAcert has no direct way to check that (for example) passport number ABC123456 really belongs to you. So in the second step, you meet up with some members of the Assurance Programme, who have already convinced CAcert of their identity. These 'Assurers' check your identifying details, and confirm to CAcert that you are who you say you are. You will need at least two Assurers to confirm your details in this way - this strengthens the integrity of the Assurance Programme's 'web of trust'.

I do not want to give them a Nat'l ID number. In fact, there should be no reason to do so. There is already an infrastructure in place for validating my ID and paper signature. They folks who do this are called Notary Publics. And they have their own web of trust similar to a Certificate Authority's.

Two years ago, my wife and I adopted a little girl from India. Lots and lots of paperwork involved. Most of which had to be signed and verified by a notary. The notary looks at your ID and then adds their stamp on top of the signature. The notary does not keep any of your ID numbers on file.

Some of that paperwork had to go through a second level of verification. We had to take the signed and stamped papers to our local courthouse where the County Clerk then verified that the notary was legit. This was then taken to the State of Ohio where they verified the County's verification. Its been awhile, but we might, IIRC, have had to get another level of certification from the US State Dept since we were sending the documents overseas.

So why not just use the infrastructure already available for verifying the identity of a requestor for a certificate made to a cert authority? No need for a CA to keep my Nat'l ID on file.

I think you're forgetting the part about actually verifying the authenticity of what they're signing.

I guess you didn't check out the website did you? To be trusted, you need to get assurance from at the very least 2 well trusted third parties who have met you in person. Until that stage, your certificates are given a generic username.
For more info on this process and the type of third parties that are trusted, check out this page and the links therein.

Does anyone else find it somewhat offputting that they include links to both validate their XHTML and validate their CSS on the bottom of their homepage, yet both return a number of errors stating that their page is neither valid XHTML nor uses valid CSS?

Even more oddly, for a brief instant when I went to their homepage, I got a default Apache index listing, rather than their homepage. It included links to things such as their PHP MyAdmin directory, a number of PHP files, and three zipfiles named Bruce-someversionnumbers.zip.

Why should each CA have the same trustworthiness value to every user? Joe could think that Verisign was the best thing since sliced bread, while Maria might want to give them a low score, and instead might want to trust CAcert.org more highly.

Furthermore, why relegate trust just to official "Certificate Authorities"? If i know that my brother will do a good job verifying identities of organizations that he deals with, why can't i choose to trust him for these tasks as well?

Once you start to distribute the responsibility for certification, you are building a web of trust, in which each entity can both certify and be certified, and the middlemen/brokers/leeches we use today as CAs would be forced to actually do identity validation or become irrelevant and useless.

Of course, this all depends on every user knowing what it means to "trust a certificate authority"...

And it depends on web site admins not just wanting the "least hassle" when it comes to getting their SSL identities signed.

now to get a certificate signed for a decent price is the challenge,
check out www.cacert.org
they offer free certificates, and has a reassurance program, that trys to give some validity to the certificate holders...

You can get free ones from cacert.org.
I use them to SSL enable my website at glasgownet.com and any other stuff I need certs for.

Well worth it.