Slashdot Mirror
White House Unveils Plans For "Trusted Identities In Cyberspace"
Presto Vivace writes with news that the Obama administration's cyber-security coordinater, Howard Schmidt, yesterday unveiled a national plan for "trusted" online identities. Schmidt wrote,
"The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers — both public and private — to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)."
You can read the full draft of the plan (PDF), and the White House is seeking public comments on it as well.
One ID you can use anywhere? Sounds a lot like what the OpenID project is already trying to do. It's a nice concept, but I don't like the idea of anything like this being run by the government. Government interference with the internet seems to be the fastest way to dystopia, these days.
Le français vous intéresse?
So isn't this just another one of those open/secure authentication mechanisms, which means that we're now going to have to remember an ever expanding and potentially insecure methods, instead of passwords, of identifying ourselves to various entities on teh internetz?
Always proofread carefully to see if you any words out.
Who do you Serve, and Who do you Trust
-- Galen the Technomage, B5Crusade
It is good to see that the government are using existing technologies for political talking points. Now if government tries to push something other than SSL I would be disappointed.
There is or can be built a machine that can simulate any physical object. -Church-Turing principle
but ms passport sucked
Snowden and Manning are heroes.
The problem of authenticating yourself many times to different websites is solved by OpenID. The problem of having a secure web identity is also solved - anyone can put a public key on their homepage and sign everything they write. The inclusion of credit cards and electronic health records suggests the true motive for this policy: trying to tie people's internet identities to real life identities. Thanks, but given that the opinions I post here have already earned me 3 'foes' I'd rather not have every potential employer take a look at my Slashdot account.
I need to download a German accented voice so when my computer says, "Your papers, please." it will sound authentic.
If Slashdot were chemistry it would look like this:Cadaverine
Why not just tattoo a barcode on the back of my neck and inject and RFID tag into my left wrist and be done with it.
They can trust the identity of deez nuts.
Go easy on me, moderators.
>where individuals and organizations can complete online transactions with confidence,
>trusting the identities of each other and the identities of the infrastructure that the transaction runs on
I see, so we just hand over the keys to our online identities and trust the Federal Government instead. Right. And what if we would rather not trust them? Some of us might not want the Fed having access to everything we do. And if such a plan gains traction, you can bet that sites will jump on it and consumers won't have any choice but to use such a system or be denied access to more and more online stuff.
Sounds like a great idea. There's room on the internet for any such initiative - so much room, in fact, that it's likely that this will affect no-one except those who choose it.
"In the absence of the ability to establish the attribute of truth they tried to establish the noble attributes."
I think a 'strong identity' transactional system likely requires a secret known to a user, paired with a hardware device that can be remotely disabled, and is difficult to tamper with and lift the user's keypair from, even with the user's password. I think that can be built, but the 'remote kill' potential is alarming in the context of a national (or more than national) strong-identity system. In order to be reliable, parties will have to check transactions against some sort of central database, which is a serious privacy concern.
My suspicion is that any system you attempt to use for this purpose is immensely more useful when you ditch the 'strong identity' requirement, as a strong transactional system is good at preventing fraud, and with no (or limited) identity tied to a transaction, there is no substantial risk to privacy, data disclosure, etc, which are the stated goals of the plan.
I wish my government would do something similar, like calling for the creation of flying ponies for everyone. No, wait - flying invisible ponies for everyone! I'm sure there would be no problem getting reality to comply with government wishes.
Certainly not the government. Our "trust" has recently netted us one economic disaster, and one industrial catastrophe. I realize that the current method isn't optimal, but he who has the information, has the control. That having been said, I'd like to retain as much control as possible, especially when it comes to information that can be easily stored, profiled, shared, etc. One of *anything*, I'd argue, is a bad choice. Something about eggs, baskets, human nature, greed, power, etc.
What the government creates the government controls.
Sigs are for losers.
I can think of only one way to make transactions nearly completely secure, so that malware cannot spoof or redirect payments - and I doubt our government is smart enough, or willing to pay enough, for such a system. It would require a security dongle with its own display and a yes/no button at a minimum, with a numeric keypad for PIN entry being a useful addition. Without its own display, even if it requires some sort of physical response on the dongle, malware can make the computer show one payee while telling the dongle to authorize another.
Sounds like they're just trying to create a proprietary government-owned, -controlled and -legislated OpenID/PGP network. This is still a stupid idea - The reason my account isn't my real name is that I want a disconnect between my activities online and my activities in meatspace.
At fist such a system would be opt-in. Then it would gradually become mandatory in the name of fighting pedophilia (think of the children!) Then you can kiss online anonymity goodbye.
http://www.gpgauth.com/ is a good technology. It's open and it's based around GPG. The main thing holding us back is the lack of hardware standards and lack of hardware in general. We should have the hardware in place otherwise a lot of the software will be useless.
We need better smartcards, better e-tokens. The idea of putting identity on our cellphones is stupid. Put it on a card so it can be put in your wallet or hidden if necessary. By putting it in your cellphone it's a huge target for hackers.
Anybody can log in as you and nobody knows any better.
Then you use your retina along with your fingerprint.
Sure identity theft is always going to be possible but it would be much harder if they had to get your retina than if they just had to memorize your digits and crack a password.
Who says the government has to pay for it?
We should be able to buy our own dongles. The only thing the government has to pay for is the retina scand and fingerprints, or anything else we want to store on the dongle as authentication. The pin entry + smartcard is good enough for the banking industry and ATM machines.
I think it'll fail unless it gets a big dose of reality shortly. how many things in our society, both public and private, have remained untouched by reality?
1. I don't trust the government to be competent with this
2. I don't trust the government to not abuse this power
The government is perhaps the single most important entity to protect yourself from. If cashflows and internet security are under the government's thumb, then contaband and actions to protect yourself from the government are going to be much harder to come by. I don't want a government ID credit card, I want a closer equivalent to cash, so i can make online purchases with LESS of a paper trail.
This is my signature. There are many like it, but this one is mine.
A few months ago, I wanted to post a question to StackOverflow. It was the first time I was going to submit something, so it was also the first time I had to log in. I was dismayed to see that they had chosen OpenID, rather than letting me quickly create an account specifically with them.
Now, I don't have an account with Google, or Yahoo!, or AOL or one of the numerous other OpenID providers they support. So I had to go through the process of signing up for a Yahoo! account, which was a pain in the ass, to say the least. Then it was back to StackOverflow, so I could log in, and submit my question. Except it didn't work. I couldn't log in. I'd get sent to Yahoo!'s page to log in, and I'd log in there successfully, but I wouldn't be logged-in at StackOverflow.
I really didn't have any time or inclination to figure out what was wrong, so I went through the hassle of creating a Google account. In the end, it was the same problem as with the Yahoo! account. It just wouldn't recognize that I was logged in.
Maybe it's a problem with my browsers (I tried Opera, Safari, Chrome, IE and Firefox for each provider), or maybe it's a problem with my network infrastructure, although I suspect it's a problem with StackOverflow or OpenID.
Regardless of what the technical problem was, I wasted far too much time just trying to log in to the goddamn StackOverflow site. Authentication is one of the most basic operations of any multiuser and/or networked software system. It's something UNIX has gotten right for 40 years. There's no reason for OpenID to be as shitty as it is.
In the end, I said "fuck it" to StackOverflow. If they want to make it difficult just to log in to their site, I won't use it. I asked my question on a mailing list instead, which worked flawlessly.
You verify your identity by smartcard. We don't need a central authority to do it for us when we can just put our card into our reader and enter a pin.
When you go to an ATM do you need a central authority to verify your identity with a certificate?
having a government run operation where I can safely store my name, address, soc. # and ip address sounds awesome. It will bring states an easier way to collect sales tax for my online purchases too which will save me some time filing out my taxes every year. Since it's run by the us gov, I'm sure they'll have a reputable source overseeing the security of the system also. You know, like Diebold or maybe Blackwater.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Your plan advocates a
(x) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(x) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
(x) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
From the Document Itself:
"Envision It!
An individual voluntarily requests a smart identity card from
her home state. The individual chooses to use the card to
authenticate herself for a variety of online services, including:
Credit card purchases,
Online banking,
Accessing electronic health care records,
Securely accessing her personal laptop computer,
Anonymously posting blog entries, and
Logging onto Internet email services using a
pseudonym."
I always want to use a self-identifying card when anonymously posting blog entries. Seems like this also could be easily abused by a government who conducts warrantless wiretaps and other illicit snooping.
"Imagine a world where individuals can seamlessly access information and services online from a variety of sources - the government, the private sector, other individuals, and even across national borders - with reduced fear of identity theft or fraud, lower probability of losing access to critical services and data, and without the need to manage many accounts and passwords."
Honestly, this doesn't seem like a good idea from a security standpoint either. Let's say I wanted to commit fraud or identity theft or any of the other things this card is supposed to prevent. Now, originally, I would have to compromise your 30 passwords. If I hacked your blog, I wouldn't be able to access your bank account because they have different passwords. Now, if a blackhat hacker hacks this universal access method they get universal access. Scary.
Big apple, new Yorik, undig it, something's unrotting in Edenmark.
Then you use your retina along with your fingerprint.
Sure identity theft is always going to be possible but it would be much harder if they had to get your retina than if they just had to memorize your digits and crack a password.
They don't need your retina. They just need whatever big integer your retina digests to.
They don't need your retina. They just need whatever big integer your retina digests to.
In case the conclusion isn't obvious: if they can get you to authenticate using a compromised scanner you'll only be able to handle that breach exactly once - assuming you have a second eye.
Can you say single point of failure?
File under 'M' for 'Manic ranting'
And we'll take this ID, and implant it under your hand, or, if you're really "cool", we'll put it under your forehead. We'll expand it to track your finances, so you only use that when you shop anywhere too! (It's the end of the world as we know it....)
This is what we are witnessing. And its going out with applause and support. :(
---- Booth was a patriot ----
Hack once, access all
Read this proposal for what it is: a different way to name an attempt of removing anonymity from the web.
The NSTIC, which is in response to one of the near term action items in the President's Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. ...
- I am sure this is going to be made a requirement for a site to operate at some point, add this to the 'Internet kill switch', add the Patriot Act to it, multiply by Home Land Security and don't forget to factor in the rendition, you are going to have an interesting situation.
The President will be able to shut down portions of the Internet, he will be able to identify who was saying what and when, this entire thing reeks of totalitarianism - complete control by the government over the dissemination of information and total knowledge of who was saying what on which topic plus ability to take action - shut down the dissenting portions of the web and then 'taking the necessary care' of those, who dare to oppose the government in any way, be it direct opposition to specific policies or be it simply providing information to the people that government wants to keep quiet and providing a forum to discuss this information.
You can't handle the truth.
I agree that we need to make a few changes to prevent the decline of the country, but I'm not sure if that should include becoming Korea.
Except you'll probably be required by the states (who are held hostage by federal funding) to have one to get a drivers license or benefits. This is yet another back-door attempt to institute a national ID card, except this would also happen to let the govt decrypt all your transactions.
Well, no... The idea is, your computer would open a connection between the dongle and the remote server. The connection would be both encrypted and digitally signed by the dongle, making it "impossible" for software on the computer to interfere with the contents of the connection. The dongle would show, on its built-in display, the payee account name and the payment amount, and prompt for pressing a button on the dongle itself (or PIN entry, or retina scan, or whichever). The dongle would then send a signed certificate authorizing the transaction.
This would be fairly complete security, though there are a few caveats: Strength and hardiness of the encryption and signature algorithms, hardiness of the software on the dongle, and the creation of accounts with the same name as the payee. There would be other methods of attack against the server side, but nothing that would be considered the user's fault.
I should know, we spent 3 years building the most secure commercial internet authentication system, with a 5 site redundant cloud of authentication services. 3 of 5 sites were necessary to pass an authentication, so we could handle two complete site thefts, or two complete site disasters and still authenticate safely (auth material was split utilizing a secret sharing algorithm). Each of our data sites were military-grade EMI/Faraday cages, under separate corporate ownerships.
In other words we spend millions on building the easiest & safest way to authenticate a user on the 'net, with most of that on auditing, code reviews, facility buildout etc...
And nobody wanted it!! Not for any price... not even for 50 cents/user a year!! Banks said users would NEVER type in two passwords,... HA!
I said no... but I missed and it came out yes.
..where the common ID is voluntary, reasonable, useful.
Part two is the law forcing all ecommerce to use the ID for taxation.
Part three is the law forcing all political discourse comment (blogs etc) to use the ID to protect the children and prevent terrorism.
Most of you never use a real name on the internet. I use this alias "leuk_he" for over 10 years.
Why? because what you put on the internet can never be deleted. And because you cannot be sure how some internet forum will use your privacy. Privalcy never was very important on the internet. And this was worked arround all this time by using handles/aliases. THere is a new generation now that freely uses their real name on facebook. But those same induviduals will bump their head in 5 year because a new boss will be able to find their view on vampires a little bit disturirbing.
A real-ID on internet will only make this privacy thing more urgent.
--leuk_he
I don't mind having to remember an ever expanding list of usernames and passwords. And I don't see how that's more insecure than something with a single point of failure.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Solving THAT particular problem that you mention may not necessarily be a threat to anonymity on the internet - but the US (and other western) governments, and their plans for the internet (including this) certainly are, and if you can't see that, you're clueless.
Establishing an infrastructure for allowing people to identify themselves in their dealings with commercial entities is a different thing from requiring people to identify themselves in online forums. Confusing the two is silly.
My only political goal is to see to it that no political party achieves its goals.
I almost checked the "Post Anonymously" button on principle, but the difference is that I can choose what part of my identity to share with Slashdot. I just finished reading How to Access the Internet, A Guide from 2015 when I flipped to Slashdot and saw this article. Here's the first step. Creepy.
One ring to rule them all!
Letting the government have access to my master ring ya right! They can snatch you, correct your posts, and bankrupt you in nano seconds!
Over my dead ..carrier anomaly detected ....
For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services.
That's actually creating many other problems. For example, if my online identity is the same across many sites, information that I am not willingly providing to one site can just be scraped off another. As another example, various bits of data can all be easily tied back to an individual, undermining their privacy.
Twinstiq, game news
They don't need your retina. They just need whatever big integer your retina digests to.
In case the conclusion isn't obvious: if they can get you to authenticate using a compromised scanner you'll only be able to handle that breach exactly once - assuming you have a second eye.
If you use your own scanner how exactly will it be "compromised"? Unless it's compromised the day you buy it.
Im sorry but who pays? The goverment is playing "The Sims" with our real lives and real money. When the goverment pay,we all pay.
Looks like the future is coming. Fast. See this post that appeared in digg TODAY http://digg.com/tech_news/How_to_Access_the_Internet_A_Guide_from_2025
So this is what the future is going to be like. First step, make this voluntarily. Then a lot of services will use this. I live in Spain, and I see this coming. Here Franco's dictatorship stablished what you're fighting against in many countries right now: a national identity card (called DNI). Our DNI is already an electronic, comes with a chip with all the information and can be read with a card reader, and contains some legally valid certificates with which you can authenticate and sign anything.
For us, this is a normal thing because we've been living having DNI for decades, and if you ask just about ANYONE, it's good. The police have our fingerprints, photos, and all data, and this way they can identify anyone, they can use the fingerprint for crime-scene-techniques like in CSI, etc.
Now the government of Spain is spending a lot of money and time trying to make people use the electronic DNI. They have a nice web page with info for developers (https://zonatic.usatudni.es/). An increasing number of websites are using https (SSL) for authentication via e-DNI (like banks), and Java Applets for signing all kind of things. For example there's a webpage (tractis) in which you can sign electronic and legally valid contracts.
You might be an optimist and think you have two choices: you can either fight against it, or use it. But really, read all above. This is not something you can easily fight against. I am an advocator for liberties, but I'm also used to having DNI, and I've surrendered. I'm helping a new political party called "Partido de Internet" (Internet Party) whose aim is to be able to have a liquid democracy in which our representatives will vote what people vote over the Internet.... using DNI-e. So yes, I'm helping the governmental machinery trying to spread the usage of electronic national identity cards. Welcome our 1984 overlords!
This is the first step. Next step will be to make its usage mandatory for every login. They're requiring everyone to secure their wifi in Germany to prevent unauthorized people from using their Web access to illegally download data. And then, probably much earlier than 2025, we'll be as bad as in the first digg link in this post. We're already living in a distopy worse than 1984 in many ways, but we see it normal because it can always get worse - and it certainly will.
At fist such a system would be opt-in. Then it would gradually become mandatory in the name of fighting pedophilia (think of the children!) Then you can kiss online anonymity goodbye.
who is "they"? And how would they force you to log into 4chan?
Indeed, who is this "they"? The post you are responding to never said "they".
However, the *FIST* is not imaginary. I can only assume that "at fist such a system would be opt-in" means they punch you until you agree to opt-in.
No, just to enable massive scams, make all evidence of fraud useless when this "identity" is used, and, of course, to promote the use of sabotaged "secure" hardware that locks out user-modified software.
Contrary to the popular belief, there indeed is no God.
The Federal government is borrowing and spending over $1.6 trillion ( > 10%) of GDP this year alone. A debt, that We, The People will eventually be responsible for, either through pernicious levels of taxation, or theft of our accumulated wealth by destruction of the currency (If someone sees another possible eventuality, it would cheer me up to hear about it.)
Yet, with this catastrophic fiscal crisis clearly on the way, the government still seems to find the time and resources to conduct a relentless assault on the civil liberites of the citizens that it pretends to serve.
By the People, of the People, for the People ????
Is there anyone out there besides the Mainstream Media, government employees and the politically well connected elite that even believes that sad, cruel joke anymore?
The fact that we continue to PAY for this nonsense is the most infuriating thing of all.
I have no cell phone... should I be forced to pay high monthly fees just to get an ID I don't want?
Yes.
There are two fundamental cases in which identity matters. In the first, identity matters because you want to know with whom you are dealing. For example, the bank really needs to know that the person accessing their systems is who they say they are, so that they can connect the presented identity with the requested resource without placing themselves in legal jeopardy. The ISP needs to be able to associate the incoming line with an account so that the billing is sent to the right place. In this kind of interaction, it is absolutely essential that means of securing the identity exist outside of the Internet and have legal force. But these uses are also relatively few, out of the many cases for use of identity.
In the second, you want to know that the person you are dealing with is the same person you dealt with before, but you don't really care who they are. When I log into Google to read my RSS feeds, Google doesn't really need to know who I am; Google needs to know that I am the same identity that has visited before, so that it can appropriately target ads (from its point of view) and show me the information I've asked for (from my point of view). For the most part, authenticating to computers in a work environment does not really care about who you are, so much as it cares about what you have access to. If the system thinks I'm "John Doe," but gives me access to only those resources I should have and no others, then it has succeeded at its purpose.
Most people would be reasonably happy to have the government involved in the first type of case, for the same reason most people are perfectly happy to have the government issue driver's licenses that are used as identification, or passports used as identification. Yet even in those cases, most people would probably not be happy to have all of their identity documents issued by the same level of government and used for every possible purpose. (For example, try proposing the use of Social Security cards as identification, and see what happens.) This is because people are more worried about promiscuous overuse of irrevocable identity, and the risks that entails, than they are about having multiple forms of identification. Despite the solution of many trust issues, people want the ability to refuse to get a passport, or refuse to get a driver's license, or whatever, should they so choose. The second set of cases is even more evidently none of the government's business. The government should not be involved in what I rent from the video store, what I get from the library, what I buy online and the like. They may need to collect value/volume metrics tied to me, depending on the taxation scheme in use, but that's as far as it goes.
If I trusted the government to stick to the first case, and to make a competent execution of it, then I would not have much problem with limited use of such a system, revocable at any point by the user and completely optional. But I don't trust that execution would be competent, that the government would limit its intrusions, that the government would allow revocation of an identity once issued, or that the government would keep the system optional. So frankly, this strikes me as a very, very bad idea.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
This sounds pretty much exactly like the system Vernor Vinge described in "Rainbow's End." (Which also included the "kill switch" that came up on slashdot a few days ago.) However Vinge had what seemed to me to be a naive optimism that the government would have some kind of epiphany and realize that it should use such unprecedented power only to protect people from serious crimes, and not for the kind of petty things the government currently abuses its power for.
This Space Intentionally Left Blank
Sadly, in my university experience, college students are not likely to fight against it so long as a Democrat, let alone the Obama administration, that supports this.
Couldn't you solve this problem with public key encryption based digital signatures? I mean, you don't even need some giant government database containing the keys to everyone's private information. The entire point is to let anyone and everyone have my public key, and in fact to assume that every malicious person has everything associated with any transaction involved except for my private key. So long as people keep their private key private, then there's no problem (ok, big assumption, but no worse than passwords currently are), and as a plus it could also be used to set up cryptography as the normal way for information to travel over the internet... oh, I see why the government would never encourage that. Nevermind.
A smart card might well be a useful tool to safely present your identity to many different web sites. However, that's not the only way. And I am not talking about OpenID, which has risks. And I am not even talking about delegating any form of trust to another party (which OpenID does).
The simple answer is that browsers should maintain your identity information. You provide the encryption passphrase to access that database of identity info. Each time you visit a site that requests a login (by means of standardized headers in the HTTP response for this, which includes an HTTPS URL to present identity), a indicator of your choice in the browser will inform you that you have the option to signup or login. You might even set a given site name to be automatically logged in, if you prefer (a flag added to the identity info stored in your encrypted database). The signup process exchanges random numbers. To login, the browser switches to HTTPS and verifies the certificate against both the CA certificates as usual, and also a certificate reference in the identity database. Then an authenticity exchange of choice (password, CRAM-MD5, etc) will take place from information established when first signing up. Then you're in. No need for a third party.
The scheme needs to be open source so it can verified as correct. The format for the database needs to be standardized so it can be ported to other tools when desired (probably best a text format, compressed, then encrypted).
Now this scheme won't connect a signup to a real person. If a web site wants that (for example a bank), then more needs to be done, and that smart card might be one way to do it. But for accessing web sites like Slashdot, that should not matter (free speech doesn't need to know who you really are, and for various reasons, must not, or else the speech can't really be free). I just don't want people thinking the smart card is needed for most web site logins (although the smart card might well be someone's preference for opening the encrypted database of web site identities).
now we need to go OSS in diesel cars
Governments don't come up for a vote - the people in them do. The policies and programs any group of people pass tend to stay and grow forever. If this passes you can be sure the full effects will ratchet into place eventually. If a business has a bad idea people don't use, then if the company does not abandon it the business will eventually shut down (or the thing will just sit there ignored).
If governments and the incrementially ever growing power they wield over you does not scare you far more, you are an idiot. For it's only government policy you cannot escape by choice.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Been saying this would happen for over a decade now. Everyone called me nuts. I really hate being proven correct in these sorts of things :(
---- Booth was a patriot ----
http://yro.slashdot.org/story/10/06/26/157211/Reporters-Without-Borders-Fight-Web-Censorship
I think these two things are related. What happens to journalists' sources, if the sources feel anonymity is a problem? What happens to your "identity" online, if someone wants to discredit you for some joke or stupid remark in a context completely unrelated to your profession?
Having *one identity*, whether OpenID or this, is undesirable at best. At least OpenID is optional. As I don't want one shopkeeper knowing what other shops I bought stuff from, I don't want one web site knowing who I am on other web sites. Why do I want that? Why is that good for *me*?
If they want to talk about what this "ecosystem enables", compare that to what an ecosystem of anonymity and privacy has enabled throughout history, and what we may lose in the process of everyone being able to be identified online. This trend is quite worrisome.
As an added precaution, they should mandate the use of Windows (TM) operating systems... :P
Does anyone recall in the book of Revelation 13:16-18, where it says, speaking of a Beast from the Earth,: "And he causes all, the small and the great, and the rich and the poor, and the free men and the slaves, to be given a mark on their right hand or on their forehead, and he provides that no one will be able to buy or to sell, except the one who has the mark, either the name of the beast or the number of his name. Here is wisdom. Let him who has understanding calculate the number of the beast, for the number is that of a man; and his number is six hundred and sixty-six." Does anyone have this feeling crawling up the back of your neck that we may have found this beast? Oh, hang on a minute, there's a knock at my door... .
The "best" way to make opt-in things become effectively mandatory is to assert that things people take for granted, intuitively, as rights (e.g. board a plane, drive a car, purchase an alcoholic beverage from a licensed commercial entity, make a phone call, file a health insurance claim), are really trivial privileges. You don't have to participate, but if you want to actually get anything done and not be impractically disadvantaged, then you'll get on board.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If you think that you can escape from supernational corporations and their behind-closed-doors accumulation of power
Look at BP, and the insolvency they are very near too. Look at GM, which is not a tentacle of the government. There is no corporation so powerful a government cannot simply subsume them at will.
All of the most powerful corporations you are most scared of were made that way through government regulation. And the government that gave them that power can take it away at any moment. Yet you claim the CORPORATIONS are scary?
To paraphrase 2001 - My god, it's full of bricks.
"There is more worth loving than we have strength to love." - Brian Jay Stanley