Re: Info Security 'Teachers' Need More Learning

[InfoSec News <isn () c4i org>]

Forwarded from: JohnE37179 () aol com

In a message dated 10/15/01 4:02:54 PM, isn () c4i org writes:

<< privacy professionals appear unable to put the security and
> privacy to-dos in the proper context for people who manage
> sensitive information. Why? Security people have never been known
> to distinguish

Says who?  >>

It seems to me that the "security experts" have consistently confused
identification with authentication. All of the existing authentication
technologies can be easily utilized to perpetrate identity frauds. In
fact, they all enable identity frauds. There are three distinctly
separate functions that are often overlooked.

Identification: identifying someone's name (not simply accepting what
you are told is someone's name). This is a very difficult process and
the simple excuse is that this is a wet brain problem not suitable for
the digital world. This is not true. Identifying a device or a thing
or a password is not Identifying a person or user.

Recognition: Have I seen this person before, whether or not I know his
name.  Biometrics do this well.

Authentication: After being certain of a person's real identity (not
necessarily the one he gives me) I can allow him an encryption key,
PKI, enroll him with a biometric or password.

All three functions must be performed for user security to exist.

John Ellingson
CEO
Edentification, Inc.
||||#
||||||
||||||



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.