Digital identity allows us to manage risk – not prove negatives

Jon's piece channeled below,  Steven O'Grady‘s comments at RedMonk and  Tim O’Reilly’s Blogger's Code of Conduct  all say important things about the horrifying Kathy Sierra situation.   I agree with everyone that reputation is important, just as it is in the physical world.  But I have a fair bit of trouble with some of the technical thinking involved.

I agree we should be responsible for everything that appears on our sites over which we have control.    And I agree that we should take all reasonable steps to ensure we control our systems as effectively as we can.  But I think it is important for everyone to understand that our starting point must be that every system can be breached.  Without such a point of departure, we will see further proliferation of Pollyannish systems that, as likely as not, end in regret.

Once you understand the possibility of breach, you can calculate the associated risks, and build the technology that has the greatest chance of being safe.  You can't do this if you don't understand the risks.  In this sense, all you can do is manage your risk.

When I first set up my blog to accept Information Cards, it prompted a number of people to try their hand at breaking in.  They were unable to compromise the InfoCard system, but guess what?  There was a security flaw in WordPress 2.0.1 that was exploited to post something in my name

By what logic was I responsible for it?  Because I chose to use WordPress – along with the other 900,000 people who had downloaded it and were thus open to this vulnerability?

I guess, by this logic, I would also be responsible for any issues related to problems in the linux kernel operating underneath my blog; and for  potential bugs in MySQL and PHP.  Not to mention any improper behavior by those working at my hosting company or ISP. 

I'm feeling much better now.

So let's move on to the question of non-repudiation.  There is no such thing as a provably correct system of any significant size.  So there is no such thing as non-repudiation in an end-to-end sense.  The fact that this term emerged from the world of PKI is yet another example of its failure to grasp various aspects of reality.

There is no way to prove that a key has not been compromised – even if a fingerprint or other biometric is part of the equation.  The sensors can be compromised, and the biometrics are publicly available information, not secrets.

I'm mystified by people who think cryptography can work “in reverse”.  It can't.  You can prove that someone has a key.  You cannot prove that someone doesn't have a key.  People who don't accept this belong in the ranks of those who believe in perpetual motion machines.

To understand security, we have to leave the nice comfortable world of certainties and embrace uncertainty.  We have to think in terms of probability and risk.  We need structured ways to assess risk.  And we then have to ask ourselves how to reduce risk. 

Even though I can't prove noone has stolen my key, I can protect things a lot more effectively by using a key than by using no key! 

Then, I can use a key that is hard to steal, not easy to steal.  I can put the lock in the hands of trustworthy people.   I can choose NOT to store valuable things that I don't need. 

And so, degree by degree, I can reduce my risk, and that of people around me.

Published by

Kim Cameron

Work on identity.

5 thoughts on “Digital identity allows us to manage risk – not prove negatives”

  1. I think there is a misunderstanding about non-repudiation. No one can prove in the absolute way that I think you mean that what appears to be my signature on an important document is not a forgery. Perhaps an extremely good one. At the same time, if I claim that a document on which my signature is claimed to appear is not my signature, it will depend on a great variety of circumstances whether I am able to repudiate that signature.

    The non-repudiation quality of PKI clearly depends on the private key being kept securely. It also involves use of reliable time stamps or the equivalent of notary counter-signatures to make sure that I don't retroactively claim loss of the key or even retroactively use it. If someone who's digital signature is of great moment has their key compromised, it will depend on very specific circumstances what is done about instruments that are already signed.

    I suspect we need to check out whatever enabling legislation that's around that has made digital signatures legal and introducable in courts.

    Kim responds: These are all good points. I like the fact that you are talking probabilities, evidence, analysis, context, not some idealized definitive proof. You may then act upon it, just like you do with a fax, because you've weighed the risks and benefits.

    I'll take this comment up to the mainline because I think it adds a lot to what I was trying to explore. I thought it would be “too much” to discuss these issues while making the other points, but I guess it was “too little” not to.

    Dennis continues: Maybe it is a different matter. I just went through a painful experience to create an Information Card for myself. Now that I have done so, and I have logged on here (after having to stand on my head and spin around three times while winking and pressing the right side of my nose), could I very easily disavow my being here? [Wow. I didn't think it was that bad. Hopefully your configuration, as described in the other comment, helps explain what went wrong… – Kim]

    We did the e-mail confirmation stunt, and I am finally here (and I have a personal Information Card so that's cool too), but isn't this much already getting fairly difficult to repudiate? As a practical matter? (I even put a PIN on the sucker.) It might not work in court, but it should certainly work well enough between you and I, yes?

    Kim replies: I agree. Because public key is used, we do know your key was exercised. We know it wasn't stolen from my site, because I don't know your private key. We also have some idea of the way in which you stored your keys, the extent to which there are known attacks, and so on. All of this is good, way better than chaos, tells a story, leads us to draw conclusions about how to act; but doesn't simply prove anything in the mathematical or scientific sense.

  2. Hey, what are those weird trackbacks you are getting? Is this ping-spam or something?

    By the way, I do like the way that the Information Card plus the e-mail loopback game gets me an “account” without having to make up yet-one-more password. I do like that.

    I also like the way it works when it finally works. (I am an LUA on XP SP2, and my Microsoft Live OneCare Firewall was blocking identity.exe without showing me anything. I guessed that is what was happening, and I was able to fix it without too much pain.)

    Kim Responds: Yes, that is ping-spam. It is getting worse every day. Other readers likely won't see the particular spam you are referring to because I go through and weed my posts every day. But if they look at something very recent they'll likely get the point. I think I'm going to start using technorati as a reputation system before long – I'm checking out their APIs. My discussion of delegation a few weeks ago was also promted partly by this.

    I'm interested to hear more about the problem you had installing cardspace – will track it down one to one.

    It's true that the worst part of this is getting the install done. At some point I'm hoping we'll be able to put it out in a ubiquitous way on XP (like we are already doing on Vista). So it's an investment the first time, and a saving every other time. Not only that, but I always feel good when I've cheated the devil out of using a password.

    I'm going to give out managed IdentityBlog cards any day now. After we experiment with it, Pamela has said she would consider adding managed cards to PamelaWare. Then we could accept cards from other blogging sites without requiring the MailDance.

    Making progress with OpenID / Information Card integration will also help smooth everything out.

  3. Oops, I missed all of your responses on the first pass, but I see them now.

    I agree, I am much keener to find more places where I can just do this with my Information Card. It's like, gee, where else can I use this. Having OpenID integration would be cool too.

    I don't mind the MailDance. It has a reassuring quality to it, with regard to my sense of the party that goes through it with me. It is not choosing a password or having ot secure that is the win, plus the ease on subsequent visits.

    I discovered that I had Windows CardSpace on my control panel by accident while talking my son through account cleanup on his machine (so I was following along on mine). I'm not sure how it got there, although I must have done something. What was great was that I got to go through the drill as LUA and make my first card without having to switch around with administrative accounts. I love the secure desktop or whatever that is that greys everything in the background and stops leaking between desktops (couldn't do a screen shot, presumably no cut and past either).

    So, that was exciting. The problem of having CardSpace failing to connect to the site smelled like a firewall problem, and the fact that I saw no notice that an application was being blocked appears to be a OneCare problem. I have come to be suspicious about that, and when I did log into my admin account, the Firewall message came up right away, I approved identity.exe access to the Internet, went back about my business and here I am.

    I was still agitated about that when I posted my first note, hence the drama. I'd cooled down by the second note. Sorry.

    Oh, I think I have OneCare set where it always asks for any application's first request to the net. I don't use the list of pre-approved apps. I'm big on informed concent. So others might not notice a provlem with identity.exe. (IHere there's a satisfied smile about how OneCare offered to block WGA's spontaneous network access and I accepted the favor.)

  4. Uh, “It is not choosing a password or having to secure yet one more password somewhere that is the win …” Other typos will stay that way.

Comments are closed.