Proving identity is likely to remain remarkably difficult in a world where it is trivial to take over someoneâ€™s computer from half a world away and operate it as your own. As long as that remains true, building a completely trustable system will remain virtually impossible.
As far as I can tell, Clean Slate itself doesn’t make this stupid claim, the NYT decided to add it for themselves. But why do they think identification is relevant? Possibly because we are surrounded by the same spurious claim. For example…
- We need ID cards because they will prevent terrorism.
- We shouldn’t run software on our Windows box that isn’t signed because that’ll prevent malware.
- We should only connect to web servers that have certificates from well-known CAs because only they can be trusted.
- The guys who crashed the planes were all carrying ID. Didn’t help.
- The guys who blew up the train in Spain were all carrying ID. Didn’t help.
- People get hacked via their browser all the time. Did signing it help?
- What does it take to sign code? A certificate, issued by a CA…
- What does it take to get a certificate? Not much … proof that you own a domain, in fact. So, I can trust the server because the guy that owns it can afford to pay Joker $10? And I can trust the code he signed? Why?
Nope. Security is not about knowing who gave you the code that ate your lunch – security is about having a system that is robust against code that you don’t trust. The identity of the author of that code should be irrelevant.