Ben Laurie blathering

Self-issued Cards Are More Secure

Pamela Dingle takes some Liberty dudes to task for being obsessed with the letter of the spec. Her, perfectly reasonable, stance is that if she chooses to link a self-issued infocard to her bank account, then that’s at least as secure as any other means we know of for authenticating. Of course, she’s left out of this equation how she gets to make that association, and, of course, the Liberty dudes think you should only make such associations via the middleman of some kind of certificate issuer.

But there’s no reason to involve any card issuers in this at all – we have to have a relationship with the bank to get this off the ground in the first place, regardless of authentication mechanism, and, however that relationship works, we can use it to inform the bank about our self-issued card. Once we’ve done that we have strong authentication with the bank, no need for IdPs, CAs or any of that stuff. In fact, our authentication is stronger than if we had involved a third party – with a self-issued card, no-one else is in a position to make a forgery.

And, of course, we’ve removed a potential correlator of our activities from the equation. Score one for privacy.

1 Comment

  1. Ben – I see were you are coming from, but I guess that I still have to disagree:

    When you delegate the responsibility of authentication to the end-user, you open up the possibility for all kinds of security negligence accusations from the RP: that they did not safe guard their laptops, forgot to install security patches etc.

    This could – given the state the legal system is in – result in the undesirable situation where a large corporation with a sufficient number of lawyers on staff can (largely) shake off liability claims by pointing the finder at the end-user.

    On the other side, the RP could potentially find itself in the unfortunate situation of having recommended a security technology that didn’t hold (am not inferring anything nagative about Windows CardSpace here – it’s just an example). This in turn would allow for class-action lawsuits that can be equally unpleasant.

    The introduction of a mutually trusted third party is IMO – overall – beneficial to both, end-user and RP; and not only because of the simple argument above. It also allows both the RP and the end-user to delegate the highly complex area of distributed security to someone that (hopefully) understands what they are doing.



    Comment by Gerald Beuchelt — 7 Nov 2007 @ 5:11

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress