In a
famous cartoon published in the late 1990s in
The New Yorker, a dog typing at a computer terminal says to
another dog "On the internet, no one knows you're a
dog."
This authentication problem is a real issue for virtually
everyone on the internet (albeit with a less canine aspect). The
problem has become more acute as fraudulent strategies like
phishing and pharming have exploited the
lack of internet authentication. But the solution remains
unclear.
About the time that the cartoon was published and dotcom
business was booming, those who proposed to solve this problem
tended to have global ambitions.
Proposed global authentication solutions included the
cryptographic
public key infrastructures (PKIs) offered by
entities such as VeriSign, WiSeKey and Thawte, as well as the
Microsoft Passport project. Products that afforded less trust to
a central entity included the PGP "web of trust".
But none of these projects has had global success in selling
authentication. The most successful is perhaps VeriSign, with its
leading market position in selling SSL server certificates.
However, this is likely because such certificates do not require
real authentication, but simply a cryptographic association of a
public key with a URL.
There appears to be no single answer to the key authentication
question of who should I trust. This problem of trust is not a new
one, and has always existed for societies that have had
interactions outside of local communities where all participants
are (mostly) known to each other. Solutions to the trust problem
have always been varied, and are very likely to remain so on the
internet.
There is increasing recognition that different authentication
and identity management systems are appropriate to different
applications, to enable users to deal with different situations
which inevitably involve variation in commercial, legal and other
risks.
For example, while global PKIs have not been successful, an
increasing number of companies are adopting internal PKIs. This is
a manageable and useful approach within the corporate environment,
where means of reliably and efficiently identifying individuals are
already readily available.
Likewise, biometrics has long been recognised as an excellent
authentication method for a diverse population, but it is often
complex and expensive to implement. However, in focused situations
where individuals can be channelled to biometric authentication
equipment, biometric systems can make very good sense. Similarly,
banks and credit card companies have become particularly adept at
using a variety of authentication methods.
Digital identity management is moving away from a "one size fits
all" approach towards systems that are highly tailored to the trust
and authentication risks that they are designed to address. In this
evolving environment, your dog may still be able to disguise
himself in an internet chat room, but it is much less likely that
he will be able to empty your bank account.
● Maury Shenk is a partner at law firm Steptoe and Johnson
and head of European Legal Programme Sans
Get smart to counter hacker attacks
>>
Encryption: the key to safe data?
>>
See the New Yorker cartoon >>
Comment on this article:
computer.weekly@rbi.co.uk