Radovan Semanèík, who publishes Storm Alert, is a Slovak software architect who is also “a swordsman and archer.” He just posted an interesting comment on my piece about overcentralization of identity information. But before I get to it, there is the matter of the strange little graphic he used to enliven his piece (shown at right). Is this a skull crusher? Is this my skull? Or is the reference more generic?
Anyway, we have to stay focussed, and I don't want to be more paranoid than necessary.
‘Overcentralization of identity information increases the risks involved once the idea of a breach is accepted. So does the ability to assemble information from different contexts which should strictly be separated. ‘‘That's right, I believe. Overcentralization is not good. But that does not apply to server-side only. The information may be overcentralized on the client-side also.
‘Take InfoCards as an example. If we'll use only self-issued claims in the InfoCards system, all the personal information will be stored on one's personal computer. That will make common PC a rewarding target for attack. Do you know how difficult is to hack a PC? I do not. PCs were not much targeted by hackers, yet. There was nothing really important there. But now, it may change … And the PCs are well uniform. Find one good hole and you can hack millions of PCs all around the world in few minutes.
‘I do not think that storing personal data on PC is any better that storing them on a server. Overcentralization is equally bad in both cases, but the “PC case” is much harder to recognize. And the things that are hidden are the worst ones … and that's not limited to computer security.’
As I said recently, we have to assume our systems will one day be compromised. So guess what? I totally agree with Radovan that storing all your data on the PC is no better than storing it all in any other place. Help me get the message out, folks. This is not what the InfoCard system represents.
Let's begin with what the self-asserted identity provider (e.g. the “starter” provider which stores data on the PC itself) is actually intended to do.
When we designed it, we purposely limited it to a narrow subset of personal information – all of which is in fact available in public records. We do not allow the PC-based provider to be used, for example, to store credit card information or social security numbers or other sensitive information on the PC.
We didn't impose these limitations because we thought our design was insecure! Quite to the contrary. We have struggled day and night for a secure design. But we chose this approach because we accept that breaches are inevitable, especially when you are working on building an identity layer for the internet. So you have to ask, how do you minimize the impact of those breaches? In fact, if you can sufficiently reduce that impact, you can remove the economic incentive to attack the system in the first place.
So our strategy is to do what is necessary to promote initial usage of the system while creating an impetus for people to develop and install additional identity providers that distribute storage of contextual information such that no one breach can be catastrophic.
InfoCard identity providers store information in different places – on servers in the sky, in dongles and smart cards, on phones – and can require multiple factors, from secrets stored in your head and on smartcards to fingerprints and other biometrics. The key here is to understand that the InfoCard proposal doesn't put all your information on the PC or concentrate it in a single location.
InfoCards are not PC centric just because they put the user at the center.
I know there are people around who think there must be some bias of vision going on here (if not an outright ploy) given Microsoft's role in powering PCs. But my colleagues and I actually understand that this incredibly hard problem has no silver bullet other than use of every possible resource to create a multi-dimensional solution. Again, this is what led us to the metasystem idea.