[Freedombox-discuss] Identity management

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Feb 23 18:05:17 UTC 2012 

On 02/22/2012 04:47 PM, Mike Rosing wrote:
> On Wed, 22 Feb 2012, Daniel Kahn Gillmor wrote:
>> OpenPGP as a cryptosystem (and GnuPG as an implementation of it) is
>> malleable enough to have the user's identity stored in their head.  the
>> trouble is: for precision storage of high-entropy data, most human heads
>> just aren't particularly capable, and a brute-force machine can pretty
>> rapidly exhaust most human minds.
> 
> You don't always need high entropy.  This is a weak point no matter how
> you do it.

Perhaps we're talking about different things.  If your confidentiality
and your identity are protected by a low-entropy secret, then a computer
that can afford to burn a bunch of cycles can simply brute-force search
all possible secrets until it stumbles across the one you use.

You do need high-entropy secrets if you want to protect users from brute
force attacks.

And unfortunately, humans are terrible at precisely remembering
high-entropy secrets.

> This goes back to "you know something" and "You have something" - classic
> real security.  What you are saying is that to have real security you
> need a crypto keyboard - everything the user does is encrypted before it
> enters the "open" part of the system.  If the "cognitive prosthetic" is
> in the users hands then what gets captured doesn't matter.  If the
> "cognitive prosthetic" is out on the network sitting on a disk, that
> disk becomes a target.

i'm not sure why you call this a "crypto keyboard" -- i would look at it
more as a laptop, smartphone, or other device that is fully under the
control of the user.  This is the TPC concept in a nutshell.

>> Humans are a critical part of any security system.  We need to make
>> systems that expose the security features to the users in ways that they
>> understand, can relate to, and are engaged by.
> 
> 100% agree with that.  Anything that takes longer than 3 seconds isn't
> going to fly.

i'm not sure your last sentence follows from the one before it.  Humans
can be engaged by processes that take longer than 3 seconds.  look at
the amount of time wasted every day on social networking!

>> 0) Am i anonymous in this communication?  or have i claimed an identity
>> (and which one)?  if i've claimed an identity, have i proved that i am
>> that identity, or is it just an asserted-but-unproven claim?
>>
>> 1) Do i know who sent me the data i'm looking at (or listening to)?
>> Who is the sender?
> 
> If we are using anonymous coms these answers become vague.  We can at
> least know it's same anonymous id, but that's about it.

When talking about these things, it's worth distinguishing between
anonymous and pseudonymous communications.

There are a few normal situations where fully-anonymous communications
are warranted (e.g. leaks, or other situations where the material being
presented can speak for itself).  In most communications between humans,
however, you would like to be able to know who you're talking to, at
least to the level of "this is the same person i argued with about the
merits of horseradish on sandwiches back in August".

This is particularly true if you care about being able to have
confidential communications; without knowing who the other endpoint of
the communications is, how can you say that your communications are
confidential?

This is another situation where having a TPC (or any other "cognitive
prosthetic" like the freedombox) comes in handy -- the trusted device
can help you to correlate communications between different peers,  and
maybe even keep track yourself of the relationships between those peers.

> So the assumption is that users of Freedombox will be educated about
> security issues, they will know when they are taking risks and what the
> results of those risks might be, and they will have access to safe
> equipment.  Security is not "invisible".  That's the philosophy we're
> working with - yes?

If we can help freedombox users to reach those ideals, yes, i think that
would be a good thing.  "Security" itself is too vague of a word,
though, and i don't think it communicates anything particularly useful
or human-meaningful on its own.  I'd prefer it if we (and the freedombox
UI) could refer explicitly to the relevant underlying concepts
(confidentiality, authenticity, anonymity, etc) instead of just "security".

	--dkg

More information about the Freedombox-discuss mailing list