{"id":749,"date":"2007-04-07T10:37:37","date_gmt":"2007-04-07T18:37:37","guid":{"rendered":"\/?p=749"},"modified":"2007-04-07T10:42:05","modified_gmt":"2007-04-07T18:42:05","slug":"jon-udell-on-the-sierra-affair","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=749","title":{"rendered":"Jon Udell on the Sierra affair"},"content":{"rendered":"<p><a href=\"http:\/\/blog.jonudell.net\/\">Jon Udell<\/a> put up <a href=\"http:\/\/blog.jonudell.net\/2007\/04\/04\/history-or-technology-which-is-the-better-defense-of-identity-both\/\">this&nbsp;thought-inducing piece<\/a> on the widely discussed Sierra affair earlier this week, picking up on <a href=\"\/?p=740\">my piece <\/a>and the related comment&nbsp;by Richard Gray.&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"margin-left: 30px\">Kim Cameron had the <a href=\"\/?p=740\"><font color=\"#b54141\">same reaction<\/font><\/a> to the Sierra affair as <a href=\"http:\/\/blog.jonudell.net\/2007\/04\/02\/online-accountability-and-the-threat-of-impersonation\/\"><font color=\"#b54141\">I did<\/font><\/a>: Stronger authentication, while no panacea, would be extremely helpful. Kim writes:<\/p>\n<p style=\"margin-left: 60px\">Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets. This won\u00e2\u20ac\u2122t extinguish either flaming or trolling, but it can sure make breaking in to someone\u00e2\u20ac\u2122s site unbelievably harder.<\/p>\n<p style=\"margin-left: 30px\">Commenting on Kim\u00e2\u20ac\u2122s entry, Richard Gray (or, more precisely, a source of keystrokes claiming to be one of many Richard Grays) objects on the grounds that all is hopeless so long as digital and real identities are separable:<\/p>\n<p style=\"margin-left: 60px\">For so long identity technical commentators have pushed the idea that a person\u00e2\u20ac\u2122s digital identity and their real identity can be tightly bound together then suddenly, when the weakness is finally exposed everyone once again is forced to say \u00e2\u20ac\u02dcThis digital identity is nothing more than a string puppet that I control. I didn\u00e2\u20ac\u2122t do this thing, some other puppet master did.\u00e2\u20ac\u2122<\/p>\n<p style=\"margin-left: 30px\">Yep, it\u00e2\u20ac\u2122s a problem, and there\u00e2\u20ac\u2122s no bulletproof solution, but we can and should make it a lot harder for the impersonating puppet master to seize control of the strings.<\/p>\n<p style=\"margin-left: 30px\">Elsewhere, Stephen O\u00e2\u20ac\u2122Grady <a href=\"http:\/\/redmonk.com\/sogrady\/2007\/04\/02\/history_or_technology\/\"><font color=\"#b54141\">asks<\/font><\/a> whether history (i.e., a person\u00e2\u20ac\u2122s observable online track record) or technology (i.e., strong authentication) is the better defense.<\/p>\n<p style=\"margin-left: 30px\">My answer to Stephen is: You need both. I\u00e2\u20ac\u2122ve never met Stephen in person, so in one sense, to me, he\u00e2\u20ac\u2122s just another source of keystrokes claiming to represent a person. But behind those keystrokes there is a mind, and I\u00e2\u20ac\u2122ve observed the workings of that mind for some years now, and that track record does, as Stephen says, powerfully authenticate him.<\/p>\n<p style=\"margin-left: 30px\">\u00e2\u20ac\u0153Call me naive,\u00e2\u20ac\u009d Stephen says, \u00e2\u20ac\u0153but I\u00e2\u20ac\u2122d like to think that my track record here counts for something.\u00e2\u20ac\u009d<\/p>\n<p style=\"margin-left: 30px\">Reprising the comment I made on his blog: it counts for a lot, and I rely on mine in just the same way for the same reasons. But: counts <em>for whom<\/em>? Will the millions who were first introduced to Kathy Sierra and Chris Locke on CNN recently bother explore their track records and reach their own conclusions?<\/p>\n<p style=\"margin-left: 30px\">More to the point, what about Alan Herrell\u00e2\u20ac\u2122s<sup>1<\/sup> track record? I would be inclined to explore it but I can\u00e2\u20ac\u2122t, now, without digging it out of the Google cache.<\/p>\n<p style=\"margin-left: 30px\">The best defense is a strong track record <em>and<\/em> an online identity that\u00e2\u20ac\u2122s as securely yours as is feasible.<\/p>\n<p style=\"margin-left: 30px\">The identity metasystem that Kim Cameron has been defining, building, and evangelizing is an important step in the right direction. I thought so before I joined Microsoft, and I think so now.<\/p>\n<p style=\"margin-left: 30px\">It\u00e2\u20ac\u2122s <em>not<\/em> a panacea. Security is a risk continuum with tradeoffs all along the way. Evaluating the risk and the tradeoffs, in meatspace or in cyberspace, is psychologically hard. Evaluating security technologies, in both realms, is intellectually hard. But in the long run we have no choice, we have to deal with these difficulties.<\/p>\n<p style=\"margin-left: 30px\">The other day I lifted this quote from my <a href=\"http:\/\/blog.jonudell.net\/2007\/03\/30\/a-conversation-with-phil-libin-about-real-id\/\"><font color=\"#b54141\">podcast with Phil Libin<\/font><\/a>:<\/p>\n<p style=\"margin-left: 60px\">The basics of asymmetric cryptography are fundamental concepts that any member of society who wants to understand how the world works, or could work, needs to understand.<\/p>\n<p style=\"margin-left: 30px\">When Phil said, that my reaction was, \u00e2\u20ac\u0153Oh, come on, I\u00e2\u20ac\u2122d like to think that could happen but let\u00e2\u20ac\u2122s get real. Even I have to stop and think about how that stuff works, and I\u00e2\u20ac\u2122ve been aware of it for many years. How can we ever expect those concepts to penetrate the mass consciousness?\u00e2\u20ac\u009d<\/p>\n<p style=\"margin-left: 30px\">At 21:10-23:00 in the podcast<sup>2<\/sup>, Phil answers in a fascinating way. Ask twenty random people on the street why the government can\u00e2\u20ac\u2122t just print as much money as it wants, he said, and you\u00e2\u20ac\u2122ll probably get \u00e2\u20ac\u0153a reasonable explanation of inflation in some percentage of those cases.\u00e2\u20ac\u009d That completely abstract principle, unknown before Adam Smith, has sunk in. Over time, Phil suggests, the principles of asymmetric cryptography, as they relate to digital identity, will sink in too. But not until those principles are embedded in common experiences, and described in common language.<\/p>\n<p>Beyond Stephen O&#39;Grady&#39;s piece, the reactions of Jon&#39;s readers are of interest too.&nbsp; In fact, I&#39;m going to&nbsp;post Richard&#39;s comments so that everyone gets to see them.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Jon says, &#8220;we should make it a lot harder for the impersonating puppet master to seize control of the strings.&#8221;<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[17,13,23,5,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/749"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=749"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/749\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=749"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=749"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=749"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}