Firewall Wizards mailing list archives
Re: The home user problem returns
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 13 Sep 2005 17:37:33 -0400 (EDT)
On Tue, 13 Sep 2005, Chris Blask wrote:
Hey Paul!The problem is that, without any sort of identity (and there is exactly 0.0000% of net traffic using anything worth calling identity), it is impossible to treat Identified traffic and Anonymous traffic differently, as they logically deserve.Two words: Identity Fraud.?! (I'll never see that again without thinking of Scooby Doo - thanks, P Melson! ;~) Not sure where you were going with that, but my point is that I (as a network owner) can choose to treat Identified traffic with one (or more) level of trust and Un-Identified traffic with another (logically much lower) level of trust.
My point is that identification is *hard*- it's a boundary problem, and we don't have a solid boundary. That means that abuse is easy- an attacker will just come through as someone else, so everyone will be "identified," they just won't necessarily match their identification.
I have to correct my "0.0000%" comment, as well. There is actually quite a lot of practical Identity being used on the net, *we* just have not provided much of it. Anyone who buys and sells on eBay or orders something online is using Identity to a level that is acceptable to the other party. As long as the level of fraud in these transactions is similar-to or lower-than the level of fraud in non-net transactions, then the methods they are using are correct.Decentralized, distributed responsibility. If I own an auth server then I am responsible for the activities of those who use it. If IYou're willing to be responsible for your user's behavior? After they're Trojaned?Sorry, incorrectly stated: I'm willing to be responsible for knowing who the real human is who has used my Identity service.
But you don't- you know who's credentials were used, and that's it. That's pretty far from knowing who the user is.
Just like the encryption boundary problem that is the reason SSL is severely broken as a concept, the use of identity can't be done in a system that's not closed, and we don't have the methods, technologies or wherewithall to close the software, transport and physical endpoints everywhere.We use identity in the physical world in a way that allows us to function, with all sorts of weaknesses in that identity process (sure, put a picture on my credit card, no-one will look at it; my Mother's Maiden Name, are you serious!?!)). IMHO, the reaons we have no success as an industry in providing Identity on the net is that we search for a "DNA-Sample" level of verification. We don't do this in the real world but succeed in
No, I'm not advocating doing nothing if it's not perfect, I'm saying that the proposal is lost because it has flaws that will surface more quickly than they can be fixed. Trojans have rendered that not workable until we tone down the Trojan problem, which is why this thread is important.
moving trillions of dollars in assets back and forth every day. In my own Living With Chaos view of the world, complex problems are solved by dividing them into chunks until the pieces can be digested. If there aren't huge chunks of this problem that can be digested easily (look at eBay), then the beer is on me... :~)
The beer's on you anyway! Paul "I can identify a beer donor a mile away" Robertson ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The home user problem returns, (continued)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Chris Blask (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Jim Seymour (Sep 13)
- Re: The home user problem returns George Capehart (Sep 14)
- Re: The home user problem returns Dale W. Carder (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Paul D. Robertson (Sep 13)
- Re: The home user problem returns Chris Blask (Sep 13)
- Re: The home user problem returns Paul D. Robertson (Sep 13)
- Re: The home user problem returns Chris Blask (Sep 14)
- RE: The home user problem returns Paul Melson (Sep 13)
- RE: The home user problem returns Eugene Kuznetsov (Sep 13)
- RE: The home user problem returns Marcus J. Ranum (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)
- Re: The home user problem returns R. DuFresne (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- RE: The home user problem returns Paul Melson (Sep 13)