Slashdot Mirror
White House Unveils Plans For "Trusted Identities In Cyberspace"
Presto Vivace writes with news that the Obama administration's cyber-security coordinater, Howard Schmidt, yesterday unveiled a national plan for "trusted" online identities. Schmidt wrote,
"The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers — both public and private — to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)."
You can read the full draft of the plan (PDF), and the White House is seeking public comments on it as well.
One ID you can use anywhere? Sounds a lot like what the OpenID project is already trying to do. It's a nice concept, but I don't like the idea of anything like this being run by the government. Government interference with the internet seems to be the fastest way to dystopia, these days.
Le français vous intéresse?
So isn't this just another one of those open/secure authentication mechanisms, which means that we're now going to have to remember an ever expanding and potentially insecure methods, instead of passwords, of identifying ourselves to various entities on teh internetz?
Always proofread carefully to see if you any words out.
Who do you Serve, and Who do you Trust
-- Galen the Technomage, B5Crusade
It is good to see that the government are using existing technologies for political talking points. Now if government tries to push something other than SSL I would be disappointed.
There is or can be built a machine that can simulate any physical object. -Church-Turing principle
but ms passport sucked
Snowden and Manning are heroes.
We do need a mechanism of trusted identities. The identity should be verified biologically through some hardware. No software can replicate the authentication capability of a retina or facial scan. This biological information should be stored on the smartcard along with the password.
My question is what took them so long to switch to smartcards? Passwords have been notoriously insecure and everybody in the information security industry considers passwords to be a joke.
The problem of authenticating yourself many times to different websites is solved by OpenID. The problem of having a secure web identity is also solved - anyone can put a public key on their homepage and sign everything they write. The inclusion of credit cards and electronic health records suggests the true motive for this policy: trying to tie people's internet identities to real life identities. Thanks, but given that the opinions I post here have already earned me 3 'foes' I'd rather not have every potential employer take a look at my Slashdot account.
I need to download a German accented voice so when my computer says, "Your papers, please." it will sound authentic.
If Slashdot were chemistry it would look like this:Cadaverine
Why not just tattoo a barcode on the back of my neck and inject and RFID tag into my left wrist and be done with it.
The Department of Homeland Security (DHS), a key partner in the development of the strategy
Really now... Of all the orgs i'd let have anything to do with 'trust'. The whitehouse isnt in the top thousand.
Unless it's more along the lines of ''I trust them to fuckup completely and blame someone else''.
We do need a mechanism of trusted identities. The identity should be verified biologically through some hardware. No software can replicate the authentication capability of a retina or facial scan. This biological information should be stored on the smartcard along with the password.
My question is what took them so long to switch to smartcards? Passwords have been notoriously insecure and everybody in the information security industry considers passwords to be a joke.
Unfortunately, you can't revoke your retina... What happens when we figure out how to spoof your eyeball?. Then what? Passwords and keys are fine with me. I don't get the joke about the passwords?
They can trust the identity of deez nuts.
Go easy on me, moderators.
>where individuals and organizations can complete online transactions with confidence,
>trusting the identities of each other and the identities of the infrastructure that the transaction runs on
I see, so we just hand over the keys to our online identities and trust the Federal Government instead. Right. And what if we would rather not trust them? Some of us might not want the Fed having access to everything we do. And if such a plan gains traction, you can bet that sites will jump on it and consumers won't have any choice but to use such a system or be denied access to more and more online stuff.
Sounds like some companies are lobbying for the burden of verification to be put on the consumer, not the provider. Like Verisign (et al) in reverse.
I like things the way they are now, because I don't have to provide an explicit identification to anyone I don't need to.
Sounds like a great idea. There's room on the internet for any such initiative - so much room, in fact, that it's likely that this will affect no-one except those who choose it.
"In the absence of the ability to establish the attribute of truth they tried to establish the noble attributes."
I think a 'strong identity' transactional system likely requires a secret known to a user, paired with a hardware device that can be remotely disabled, and is difficult to tamper with and lift the user's keypair from, even with the user's password. I think that can be built, but the 'remote kill' potential is alarming in the context of a national (or more than national) strong-identity system. In order to be reliable, parties will have to check transactions against some sort of central database, which is a serious privacy concern.
My suspicion is that any system you attempt to use for this purpose is immensely more useful when you ditch the 'strong identity' requirement, as a strong transactional system is good at preventing fraud, and with no (or limited) identity tied to a transaction, there is no substantial risk to privacy, data disclosure, etc, which are the stated goals of the plan.
I wish my government would do something similar, like calling for the creation of flying ponies for everyone. No, wait - flying invisible ponies for everyone! I'm sure there would be no problem getting reality to comply with government wishes.
Certainly not the government. Our "trust" has recently netted us one economic disaster, and one industrial catastrophe. I realize that the current method isn't optimal, but he who has the information, has the control. That having been said, I'd like to retain as much control as possible, especially when it comes to information that can be easily stored, profiled, shared, etc. One of *anything*, I'd argue, is a bad choice. Something about eggs, baskets, human nature, greed, power, etc.
What the government creates the government controls.
Sigs are for losers.
Sounds like they're just trying to create a proprietary government-owned, -controlled and -legislated OpenID/PGP network. This is still a stupid idea - The reason my account isn't my real name is that I want a disconnect between my activities online and my activities in meatspace.
At fist such a system would be opt-in. Then it would gradually become mandatory in the name of fighting pedophilia (think of the children!) Then you can kiss online anonymity goodbye.
http://www.gpgauth.com/ is a good technology. It's open and it's based around GPG. The main thing holding us back is the lack of hardware standards and lack of hardware in general. We should have the hardware in place otherwise a lot of the software will be useless.
We need better smartcards, better e-tokens. The idea of putting identity on our cellphones is stupid. Put it on a card so it can be put in your wallet or hidden if necessary. By putting it in your cellphone it's a huge target for hackers.
Anybody can log in as you and nobody knows any better.
I think it'll fail unless it gets a big dose of reality shortly. how many things in our society, both public and private, have remained untouched by reality?
1. I don't trust the government to be competent with this
2. I don't trust the government to not abuse this power
The government is perhaps the single most important entity to protect yourself from. If cashflows and internet security are under the government's thumb, then contaband and actions to protect yourself from the government are going to be much harder to come by. I don't want a government ID credit card, I want a closer equivalent to cash, so i can make online purchases with LESS of a paper trail.
This is my signature. There are many like it, but this one is mine.
A few months ago, I wanted to post a question to StackOverflow. It was the first time I was going to submit something, so it was also the first time I had to log in. I was dismayed to see that they had chosen OpenID, rather than letting me quickly create an account specifically with them.
Now, I don't have an account with Google, or Yahoo!, or AOL or one of the numerous other OpenID providers they support. So I had to go through the process of signing up for a Yahoo! account, which was a pain in the ass, to say the least. Then it was back to StackOverflow, so I could log in, and submit my question. Except it didn't work. I couldn't log in. I'd get sent to Yahoo!'s page to log in, and I'd log in there successfully, but I wouldn't be logged-in at StackOverflow.
I really didn't have any time or inclination to figure out what was wrong, so I went through the hassle of creating a Google account. In the end, it was the same problem as with the Yahoo! account. It just wouldn't recognize that I was logged in.
Maybe it's a problem with my browsers (I tried Opera, Safari, Chrome, IE and Firefox for each provider), or maybe it's a problem with my network infrastructure, although I suspect it's a problem with StackOverflow or OpenID.
Regardless of what the technical problem was, I wasted far too much time just trying to log in to the goddamn StackOverflow site. Authentication is one of the most basic operations of any multiuser and/or networked software system. It's something UNIX has gotten right for 40 years. There's no reason for OpenID to be as shitty as it is.
In the end, I said "fuck it" to StackOverflow. If they want to make it difficult just to log in to their site, I won't use it. I asked my question on a mailing list instead, which worked flawlessly.
You verify your identity by smartcard. We don't need a central authority to do it for us when we can just put our card into our reader and enter a pin.
When you go to an ATM do you need a central authority to verify your identity with a certificate?
having a government run operation where I can safely store my name, address, soc. # and ip address sounds awesome. It will bring states an easier way to collect sales tax for my online purchases too which will save me some time filing out my taxes every year. Since it's run by the us gov, I'm sure they'll have a reputable source overseeing the security of the system also. You know, like Diebold or maybe Blackwater.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Great! Now we can vote online directly on all issues most frequently. Since most of us are more educated, and capable of casting intelligent votes. We no longer have to rely on one or two potentially crazy representatives. Goodbye bribery! Lol! Ya right!
Seriously though. I picture an online system where we can subscribe to categories of interest (eg. Technology) and get a list of issues to vote on at the federal, state, and local. I won't be happy until the founding fathers idea of giving the people as much direct representation as possible is restored. We no longer ride horses and can't read, we should be representing ourselves.
More spew from some NoBama pseudogeek.
From the Executive Summary:
"The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques." (pgs 4-5)
If the author is this tentative in the Executive Summary, I don't have much confidence that the result will be anything solid.
Besides, the EFF and such should oppose the imposition of any government identity 'mandates'. I know this draft says that "participation in the Identity Ecosystem is voluntary for both organizations and individuals", but we all know how these things grow up into requirements.
And where's the what_could_possibly_go_wrong tag? :)
Given how wonderful gov. regs are at dealing with plain old identity theft, imagine just how well this is going to work out.
Getting closer to the mark of the beast...
Live life to the fullest, you only get one chance at it.
Your plan advocates a
(x) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(x) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
(x) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
From the Document Itself:
"Envision It!
An individual voluntarily requests a smart identity card from
her home state. The individual chooses to use the card to
authenticate herself for a variety of online services, including:
Credit card purchases,
Online banking,
Accessing electronic health care records,
Securely accessing her personal laptop computer,
Anonymously posting blog entries, and
Logging onto Internet email services using a
pseudonym."
I always want to use a self-identifying card when anonymously posting blog entries. Seems like this also could be easily abused by a government who conducts warrantless wiretaps and other illicit snooping.
"Imagine a world where individuals can seamlessly access information and services online from a variety of sources - the government, the private sector, other individuals, and even across national borders - with reduced fear of identity theft or fraud, lower probability of losing access to critical services and data, and without the need to manage many accounts and passwords."
Honestly, this doesn't seem like a good idea from a security standpoint either. Let's say I wanted to commit fraud or identity theft or any of the other things this card is supposed to prevent. Now, originally, I would have to compromise your 30 passwords. If I hacked your blog, I wouldn't be able to access your bank account because they have different passwords. Now, if a blackhat hacker hacks this universal access method they get universal access. Scary.
Big apple, new Yorik, undig it, something's unrotting in Edenmark.
Can you say single point of failure?
File under 'M' for 'Manic ranting'
I believe this is being approached the wrong way. The internet is its own virtual country and doesn't translate to physical boundaries. And as such will only be able to define itself by itself, and not by some outside agency. The internet is more like the old west, with complete anons and outlaws and will always be the out west. But just like the days of old, groups of people got together and formed territories, and those join to form larger states, and self governance and all its other issues where created. So basically what i in-vision is an internet government with internet citizenship, and where those identities can be judged and tried with penalties of not being able to use said country.
And we'll take this ID, and implant it under your hand, or, if you're really "cool", we'll put it under your forehead. We'll expand it to track your finances, so you only use that when you shop anywhere too! (It's the end of the world as we know it....)
This is what we are witnessing. And its going out with applause and support. :(
---- Booth was a patriot ----
Hack once, access all
Read this proposal for what it is: a different way to name an attempt of removing anonymity from the web.
The NSTIC, which is in response to one of the near term action items in the President's Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. ...
- I am sure this is going to be made a requirement for a site to operate at some point, add this to the 'Internet kill switch', add the Patriot Act to it, multiply by Home Land Security and don't forget to factor in the rendition, you are going to have an interesting situation.
The President will be able to shut down portions of the Internet, he will be able to identify who was saying what and when, this entire thing reeks of totalitarianism - complete control by the government over the dissemination of information and total knowledge of who was saying what on which topic plus ability to take action - shut down the dissenting portions of the web and then 'taking the necessary care' of those, who dare to oppose the government in any way, be it direct opposition to specific policies or be it simply providing information to the people that government wants to keep quiet and providing a forum to discuss this information.
You can't handle the truth.
I agree that we need to make a few changes to prevent the decline of the country, but I'm not sure if that should include becoming Korea.
Except you'll probably be required by the states (who are held hostage by federal funding) to have one to get a drivers license or benefits. This is yet another back-door attempt to institute a national ID card, except this would also happen to let the govt decrypt all your transactions.
Let me disclose up front: I work with personal information.
Our current identity infrastructure blows goats. If you know someone's name, social security number, date of birth, and mother's maiden name, then for all practical purposes, you are that person.
Never mind that those identifiers are easy to obtain and never mind that the problem of verifying that a person is who they say they are can easily be solved using a web of trust model based on their relationships with durable entities (e.g. I have a record in my phone provider's database with my name and address, I have a record in my bank's database with my name and address, I pay rent each month under my name with that same address).
I shouldn't have to worry about some assclown who doesn't answer my phone or receive my mail getting a credit card linked to my credit score. This isn't a hard problem it just requires some infrastructure. And if you think solving this problem is a threat to anonymity on the internet, you're clueless.
My only political goal is to see to it that no political party achieves its goals.
I should know, we spent 3 years building the most secure commercial internet authentication system, with a 5 site redundant cloud of authentication services. 3 of 5 sites were necessary to pass an authentication, so we could handle two complete site thefts, or two complete site disasters and still authenticate safely (auth material was split utilizing a secret sharing algorithm). Each of our data sites were military-grade EMI/Faraday cages, under separate corporate ownerships.
In other words we spend millions on building the easiest & safest way to authenticate a user on the 'net, with most of that on auditing, code reviews, facility buildout etc...
And nobody wanted it!! Not for any price... not even for 50 cents/user a year!! Banks said users would NEVER type in two passwords,... HA!
I said no... but I missed and it came out yes.
..where the common ID is voluntary, reasonable, useful.
Part two is the law forcing all ecommerce to use the ID for taxation.
Part three is the law forcing all political discourse comment (blogs etc) to use the ID to protect the children and prevent terrorism.
Most of you never use a real name on the internet. I use this alias "leuk_he" for over 10 years.
Why? because what you put on the internet can never be deleted. And because you cannot be sure how some internet forum will use your privacy. Privalcy never was very important on the internet. And this was worked arround all this time by using handles/aliases. THere is a new generation now that freely uses their real name on facebook. But those same induviduals will bump their head in 5 year because a new boss will be able to find their view on vampires a little bit disturirbing.
A real-ID on internet will only make this privacy thing more urgent.
--leuk_he
I don't mind having to remember an ever expanding list of usernames and passwords. And I don't see how that's more insecure than something with a single point of failure.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Mark Klein, the retired AT&T communications technician, whistleblew the existence of secret NSA spy rooms with data-mining equipment called a Narus STA 6400, "known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets". Senator Lieberman promises the "Internet kill switch" is not really a kill switch and won't be abused like that. The same specious promises were made about not abusing the PATRIOT Act. Lieberman's Enemy Belligerent Act allows for disappearing even American's, without due peocess, into a black hole. If people can be physically disappeared, why not virtually, too? Add to those, the massive NSA data centers, now under construction. You have a recipe for disappearing dissidents and upstarts and most especially, whistleblowers. Think Wikileaks, etc.
I almost checked the "Post Anonymously" button on principle, but the difference is that I can choose what part of my identity to share with Slashdot. I just finished reading How to Access the Internet, A Guide from 2015 when I flipped to Slashdot and saw this article. Here's the first step. Creepy.
One ring to rule them all!
Letting the government have access to my master ring ya right! They can snatch you, correct your posts, and bankrupt you in nano seconds!
Over my dead ..carrier anomaly detected ....
The ultimate end of things like this will always lead to to zero privacy. Just like when they promised that SS#'s would only be used by the government, but now everyone including your local video rental store uses to identify you. Just like when they intentionally scrambled license plates on cars to prevent both citizens and the police from easily identifying you, but now police can scan your plate and know instantly who you are. Remember that the founders of the USA intended that Citizens have as much protection FROM the government as possible, and part of such freedoms that citizens actively participate in the protection of their societies and nation (2nd Amendment,Citizens Arrest). But now the collective mind has moved from creating a fellowship of nation and protection of each other to a salad bowl of little China's, Mexico's, Korea's, Vietnam's, Russia's, and Afghanistan's while expecting the police to provide 100% of our protection from thugs, thieves, and murderers contributing to a mindset that encourages criminal activity and personal disregard for the safety of their neighbor and society.
The biggest problem with unified systems is the risk associated with failure or breach. We have all seen the stories of "Cloud Computing Clusters" & "Centralized Data Centers" knocking businesses web services or even internal services out of commission from some of the most mundane problems. Problems like an update messed up service and causes a near massive outage. A vehicle took out a power line in a crash. Or how about Mal-ware written specifically with a system in mind wrecking havoc on specific systems or using them to coordinate an attack against another group of systems? As Political Correctness goes, humans are supposed to celebrate diversity. Yet when it comes to government and power they clamor like sheep to the slaughter for one size fits all action that slowly and steadily removes diversity. Just like ISP's are now wanting to or actually already providing your ZIP+4 to advertisers so they can (know more about you) offer you more targeted ads, this will eventually be used to track your whereabouts relentlessly. Your cell phones and GPS toys already provide a constantly on and near public broadcast of your location at all times. The security for Cell phones are a puerile joke for anyone that cares to breach them.
If you say okay to your government when they sequester more power, then you are an irresponsible citizen and are deserving of the enslavement and corruption THAT WILL COME FROM IT! Someone will be wearing the cuffs... do you want to wear them, or should they? This like many things in the past have proven to be the beginnings of power grabs by the government.
The Presidential Socialist Candidate, Norman Thomas, said the following in his 1944 speech:
"The American people will never knowingly adopt socialism. But, under the name of "liberalism," they will adopt every fragment of the socialist program, until one day America will be a socialist nation, without knowing how it happened."?
He went on to say: "I no longer need to run as a Presidential Candidate for the Socialist Party. The Democrat Party has adopted our platform." Norman Mattoon Thomas (November 20, 1884 - December 19, 1968)
For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services.
That's actually creating many other problems. For example, if my online identity is the same across many sites, information that I am not willingly providing to one site can just be scraped off another. As another example, various bits of data can all be easily tied back to an individual, undermining their privacy.
Twinstiq, game news
I have no cell phone... should I be forced to pay high monthly fees just to get an ID I don't want?
Looks like the future is coming. Fast. See this post that appeared in digg TODAY http://digg.com/tech_news/How_to_Access_the_Internet_A_Guide_from_2025
So this is what the future is going to be like. First step, make this voluntarily. Then a lot of services will use this. I live in Spain, and I see this coming. Here Franco's dictatorship stablished what you're fighting against in many countries right now: a national identity card (called DNI). Our DNI is already an electronic, comes with a chip with all the information and can be read with a card reader, and contains some legally valid certificates with which you can authenticate and sign anything.
For us, this is a normal thing because we've been living having DNI for decades, and if you ask just about ANYONE, it's good. The police have our fingerprints, photos, and all data, and this way they can identify anyone, they can use the fingerprint for crime-scene-techniques like in CSI, etc.
Now the government of Spain is spending a lot of money and time trying to make people use the electronic DNI. They have a nice web page with info for developers (https://zonatic.usatudni.es/). An increasing number of websites are using https (SSL) for authentication via e-DNI (like banks), and Java Applets for signing all kind of things. For example there's a webpage (tractis) in which you can sign electronic and legally valid contracts.
You might be an optimist and think you have two choices: you can either fight against it, or use it. But really, read all above. This is not something you can easily fight against. I am an advocator for liberties, but I'm also used to having DNI, and I've surrendered. I'm helping a new political party called "Partido de Internet" (Internet Party) whose aim is to be able to have a liquid democracy in which our representatives will vote what people vote over the Internet.... using DNI-e. So yes, I'm helping the governmental machinery trying to spread the usage of electronic national identity cards. Welcome our 1984 overlords!
This is the first step. Next step will be to make its usage mandatory for every login. They're requiring everyone to secure their wifi in Germany to prevent unauthorized people from using their Web access to illegally download data. And then, probably much earlier than 2025, we'll be as bad as in the first digg link in this post. We're already living in a distopy worse than 1984 in many ways, but we see it normal because it can always get worse - and it certainly will.
I am just being paranoid or does that sounds like the first steps to combat whistleblowers, political dissidents, and anonymous blogging to anyone else?
At fist such a system would be opt-in. Then it would gradually become mandatory in the name of fighting pedophilia (think of the children!) Then you can kiss online anonymity goodbye.
who is "they"? And how would they force you to log into 4chan?
Indeed, who is this "they"? The post you are responding to never said "they".
However, the *FIST* is not imaginary. I can only assume that "at fist such a system would be opt-in" means they punch you until you agree to opt-in.
Just had a look at the document.
Dated 25 June: interesting timing, just when students, who are the one who might mobilize against this, will be dispersed for the summer.
Funny how in this perspective the infamous ASCAP letter who came out just before this, telling its members that organizations like EFF and Creative Commons are undermining copyright, now looks like a minor distraction...
Hmmmm...
For the paranoid out there, combine a government secure ID for buying and selling with the implantable verichip already approved by the FDA - http://www.msnbc.msn.com/id/6237364/
and you're getting pretty close to the "mark of he beast" foretold in Revelations - Revelation 13:16-18
"And he causeth all, both small and great, rich and poor, free and bond, to receive a MARK in their right hand, or in their foreheads:
And that no man might buy or sell, save he that had the MARK, or the name of the beast, or the number of his name."
If the Demoncrats wanted an issue to absolutely positively insure they will be swept completely out of power by an irresistible overwhelming landslide of panicky reactionaries in the next election, they have pretty much put their foot in it right here.
The Federal government is borrowing and spending over $1.6 trillion ( > 10%) of GDP this year alone. A debt, that We, The People will eventually be responsible for, either through pernicious levels of taxation, or theft of our accumulated wealth by destruction of the currency (If someone sees another possible eventuality, it would cheer me up to hear about it.)
Yet, with this catastrophic fiscal crisis clearly on the way, the government still seems to find the time and resources to conduct a relentless assault on the civil liberites of the citizens that it pretends to serve.
By the People, of the People, for the People ????
Is there anyone out there besides the Mainstream Media, government employees and the politically well connected elite that even believes that sad, cruel joke anymore?
The fact that we continue to PAY for this nonsense is the most infuriating thing of all.
This sounds a lot like the Unicard.
There are two fundamental cases in which identity matters. In the first, identity matters because you want to know with whom you are dealing. For example, the bank really needs to know that the person accessing their systems is who they say they are, so that they can connect the presented identity with the requested resource without placing themselves in legal jeopardy. The ISP needs to be able to associate the incoming line with an account so that the billing is sent to the right place. In this kind of interaction, it is absolutely essential that means of securing the identity exist outside of the Internet and have legal force. But these uses are also relatively few, out of the many cases for use of identity.
In the second, you want to know that the person you are dealing with is the same person you dealt with before, but you don't really care who they are. When I log into Google to read my RSS feeds, Google doesn't really need to know who I am; Google needs to know that I am the same identity that has visited before, so that it can appropriately target ads (from its point of view) and show me the information I've asked for (from my point of view). For the most part, authenticating to computers in a work environment does not really care about who you are, so much as it cares about what you have access to. If the system thinks I'm "John Doe," but gives me access to only those resources I should have and no others, then it has succeeded at its purpose.
Most people would be reasonably happy to have the government involved in the first type of case, for the same reason most people are perfectly happy to have the government issue driver's licenses that are used as identification, or passports used as identification. Yet even in those cases, most people would probably not be happy to have all of their identity documents issued by the same level of government and used for every possible purpose. (For example, try proposing the use of Social Security cards as identification, and see what happens.) This is because people are more worried about promiscuous overuse of irrevocable identity, and the risks that entails, than they are about having multiple forms of identification. Despite the solution of many trust issues, people want the ability to refuse to get a passport, or refuse to get a driver's license, or whatever, should they so choose. The second set of cases is even more evidently none of the government's business. The government should not be involved in what I rent from the video store, what I get from the library, what I buy online and the like. They may need to collect value/volume metrics tied to me, depending on the taxation scheme in use, but that's as far as it goes.
If I trusted the government to stick to the first case, and to make a competent execution of it, then I would not have much problem with limited use of such a system, revocable at any point by the user and completely optional. But I don't trust that execution would be competent, that the government would limit its intrusions, that the government would allow revocation of an identity once issued, or that the government would keep the system optional. So frankly, this strikes me as a very, very bad idea.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
This sounds pretty much exactly like the system Vernor Vinge described in "Rainbow's End." (Which also included the "kill switch" that came up on slashdot a few days ago.) However Vinge had what seemed to me to be a naive optimism that the government would have some kind of epiphany and realize that it should use such unprecedented power only to protect people from serious crimes, and not for the kind of petty things the government currently abuses its power for.
This Space Intentionally Left Blank
Couldn't you solve this problem with public key encryption based digital signatures? I mean, you don't even need some giant government database containing the keys to everyone's private information. The entire point is to let anyone and everyone have my public key, and in fact to assume that every malicious person has everything associated with any transaction involved except for my private key. So long as people keep their private key private, then there's no problem (ok, big assumption, but no worse than passwords currently are), and as a plus it could also be used to set up cryptography as the normal way for information to travel over the internet... oh, I see why the government would never encourage that. Nevermind.
A smart card might well be a useful tool to safely present your identity to many different web sites. However, that's not the only way. And I am not talking about OpenID, which has risks. And I am not even talking about delegating any form of trust to another party (which OpenID does).
The simple answer is that browsers should maintain your identity information. You provide the encryption passphrase to access that database of identity info. Each time you visit a site that requests a login (by means of standardized headers in the HTTP response for this, which includes an HTTPS URL to present identity), a indicator of your choice in the browser will inform you that you have the option to signup or login. You might even set a given site name to be automatically logged in, if you prefer (a flag added to the identity info stored in your encrypted database). The signup process exchanges random numbers. To login, the browser switches to HTTPS and verifies the certificate against both the CA certificates as usual, and also a certificate reference in the identity database. Then an authenticity exchange of choice (password, CRAM-MD5, etc) will take place from information established when first signing up. Then you're in. No need for a third party.
The scheme needs to be open source so it can verified as correct. The format for the database needs to be standardized so it can be ported to other tools when desired (probably best a text format, compressed, then encrypted).
Now this scheme won't connect a signup to a real person. If a web site wants that (for example a bank), then more needs to be done, and that smart card might be one way to do it. But for accessing web sites like Slashdot, that should not matter (free speech doesn't need to know who you really are, and for various reasons, must not, or else the speech can't really be free). I just don't want people thinking the smart card is needed for most web site logins (although the smart card might well be someone's preference for opening the encrypted database of web site identities).
now we need to go OSS in diesel cars
Governments don't come up for a vote - the people in them do. The policies and programs any group of people pass tend to stay and grow forever. If this passes you can be sure the full effects will ratchet into place eventually. If a business has a bad idea people don't use, then if the company does not abandon it the business will eventually shut down (or the thing will just sit there ignored).
If governments and the incrementially ever growing power they wield over you does not scare you far more, you are an idiot. For it's only government policy you cannot escape by choice.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Been saying this would happen for over a decade now. Everyone called me nuts. I really hate being proven correct in these sorts of things :(
---- Booth was a patriot ----
[conspiracyTheory]
An individual voluntarily requests a smart identity card from her home state. The individual chooses to use the card to authenticate herself for a variety of online services, including:
Credit card purchases,
Online banking,
Accessing electronic health care records,
Securely accessing her personal laptop computer,
["]Anonymously["] posting blog entries, and
Logging onto Internet email services using a pseudonym.
http://yro.slashdot.org/story/10/06/26/157211/Reporters-Without-Borders-Fight-Web-Censorship
I think these two things are related. What happens to journalists' sources, if the sources feel anonymity is a problem? What happens to your "identity" online, if someone wants to discredit you for some joke or stupid remark in a context completely unrelated to your profession?
Having *one identity*, whether OpenID or this, is undesirable at best. At least OpenID is optional. As I don't want one shopkeeper knowing what other shops I bought stuff from, I don't want one web site knowing who I am on other web sites. Why do I want that? Why is that good for *me*?
If they want to talk about what this "ecosystem enables", compare that to what an ecosystem of anonymity and privacy has enabled throughout history, and what we may lose in the process of everyone being able to be identified online. This trend is quite worrisome.
As an added precaution, they should mandate the use of Windows (TM) operating systems... :P
Does anyone recall in the book of Revelation 13:16-18, where it says, speaking of a Beast from the Earth,: "And he causes all, the small and the great, and the rich and the poor, and the free men and the slaves, to be given a mark on their right hand or on their forehead, and he provides that no one will be able to buy or to sell, except the one who has the mark, either the name of the beast or the number of his name. Here is wisdom. Let him who has understanding calculate the number of the beast, for the number is that of a man; and his number is six hundred and sixty-six." Does anyone have this feeling crawling up the back of your neck that we may have found this beast? Oh, hang on a minute, there's a knock at my door... .
The "best" way to make opt-in things become effectively mandatory is to assert that things people take for granted, intuitively, as rights (e.g. board a plane, drive a car, purchase an alcoholic beverage from a licensed commercial entity, make a phone call, file a health insurance claim), are really trivial privileges. You don't have to participate, but if you want to actually get anything done and not be impractically disadvantaged, then you'll get on board.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If the Trusted Identities system goes forward is is only a question of how many years it will take before noncompliant computers can and will be denied access to the Global Trusted Internet.
-
Back to sneaker.net then
or fedexing disks....
the number of the beast is your phone? lol
If you think that you can escape from supernational corporations and their behind-closed-doors accumulation of power
Look at BP, and the insolvency they are very near too. Look at GM, which is not a tentacle of the government. There is no corporation so powerful a government cannot simply subsume them at will.
All of the most powerful corporations you are most scared of were made that way through government regulation. And the government that gave them that power can take it away at any moment. Yet you claim the CORPORATIONS are scary?
To paraphrase 2001 - My god, it's full of bricks.
"There is more worth loving than we have strength to love." - Brian Jay Stanley