Re: Security-by-credential or security-by-inspection
Greg Broiles and Peter Trei both make excellent points. I kind of regret not spending an hour or so writing a more complete essay. But I wanted to get some of the ideas out, mainly to refute the wrong-headed ideas floating around from folks as diverse as John Ashcroft and Nomen Whatever. Fact is, we have gone down the "is-a-person" route, and the crypto literature is filled with some good discussions, mainly back in the mid- to late-80s. (See Crypto proceedings for papers by Micali, Fiat, Shamir, and others on "is-a-person" issues. Note especially the vexing problem of what happens when some states (Libya, the United States) issue false credentials. (Think of what is-a-person means for states which issue fake credentials, a la the Witness Security Program, agents of various kinds, etc. A t.v. show I like, one of the crop of several such shows (including UC: Undercover, Alias, and 24) is "The Agency." It shows an impressive faking department at work, generating flawless passports, flawless travel documents, excellent "legends," etc. There is no reason to believe that WTC attackers could not have similar state-issued credentials, nor is there reason to believe that private actors cannot generate similar credentials. This is well-known in the biometric security community, and was well-known several decades ago....remember the scene in "Thunderball" where the guy's eyeballs are taken out to gain access to nukes?) The security-by-credential vs. security-by-inspection (capability, direct verification) debate is something which should be getting much more attention. Alas, it is "too obscure" for politicians and legal types...it has taken them a couple of decades to begin to absorb the concept of digital signatures. But there is no excuse for all of the careless thought here on this list (and other lists) such as we have seen from some. A few comments: On Thursday, November 8, 2001, at 12:58 PM, Trei, Peter wrote:
I've been thinking along these lines myself - Tim got to the post first.
Like I said, it needs a full-blown article. All I had the time and energy to do was to throw some basic points out.
There are two points I'd like to make.
1. The reasons which are publicly aired for installing the current 'security' regime are (in my considered opinion) NOT the actually reasons.
US airlines insisting on IDs which match tickets has nothing to do with airline security, and everything to do with extracting as much cash as possible from the public.
...
Due to the vast cost differential (up to 10:1) between the cost of a ticket to fly tomorrow, vs the cost of a 'two week advance, The airlines hated this. The 'you must have a government id which matches the name on the ticket' rule put an end to the fungibility of airline tickets, which boosted their bottom line.
Indeed, they leapt on "mandatory ID" with great enthusiasm. Without it being mandatory, without this market distortion, then of course some airlines might have (and did) required government identity credentials and some airlines might not have. Indeed, many did not. There's no evidence that airline security was any lower in those days. In fact, the 911 attack happened _after_ the ID regimen, and Atta and others all had government-granted IDs. Q.E.D. Anyway, when the government mandated ID, thus distorting the market, the airlines no longer had to "compete" on the basis of their policies. The result is as Peter said: increased overall costs to business (with increased profits, for a while) to the airlines. (Longterm, it may be that corporations are travelling less. Given a choice between buying a ticket between Chicago and St. Louis for $1000, the going no-notice travel rate, and having a pool of cheaper tickets to use, this may have something to do with a decline in business travel. It's got to be one of the contributing factors.)
2. The capability vs credential argument runs all through security. For example: Signed ActiveX code is using the credential model, while the Java sandbox uses the capability model.
Another: 'Trust us not to look at your email without a warrant' is the credential model. 'Encrypt your email so they cant look at it' is the capability model.
A good insight. I hadn't been thinking of encryption in terms of the capability model, but it may fit the model. I'll have to think about this some more. I tend to think of encryption as being "objects carrying their own protection." Though giving another actor a key is thus like giving them a capability to access the object, so I suspect your model is correct.
Techies tend to prefer the capability model over the credential model - it not only works, but can be seen to work, and does not rely on trust. Institutions prefer that people use the credential model, since that allows them to change the rules at the drop of a hat.
Yes, local behavior. Objects, contracts, local enforcement, distributed control, redundancy, non-hierarchical, information-hiding. Many of us believe this is a reason so many software people are libertarians.
You can imagine applying the two models to airline passengers, both of which would act to reduce the frequency of security problems:
1. Capability model: You don't need to have ID at all, you can pay cash on the plane (as I used to do on People Express) but you'll get searched up the wazoo, and everything down to a too-sharp pencil confiscated.
This works because security is dependent on the dangers actually _carried_ by the passenger. (This does not apply as well to, say, Presidential security, because an actor (an agent, not a Reagan) may carry deadly capabilities in--to use the hackneyed expression--his bare hands.)
2. Credential model: You can take your Glock on board, provided it's loaded with frangible bullets. However you'll have to have biometricaly enabled ID from the NRA certifying that you've taken the 'Guns on Planes' course, a signed affadavit from a psychiatrist saying you're sane and not overly excitable, and a note from Mom saying you can.
Both are better from a security point of view than having unidentified armed people on board.
And the fallacy people like Nomen Nescio have been making is to assume that "not requiring ID" means there are no other ways to get security. In fact, of the two options above, I'd rather travel under #1. Given how easily credentials may be faked, given the fact that credentials don't imply trustworthiness, given a lot of other factors, the presence of a credential is not very convincing. As I mentioned in my post, there are private travel companies (like FlexJet) which carry VIPs and execs and people they have come to trust. "Know your passenger" works...always has. Not perfectly, but better than most alternatives. Note for Nomen: This is NOT a call for the FAA to adopt some bureaucratic "know your passenger" policy, akin to "know your customer" rules for banks. ("Know your customer" rules for banks are also bogus, but this is another issue. A good toic to think about.) Regrettably, these interesting debates are completely orthogonal to the banal debates actually going on in America. --Tim May "Ben Franklin warned us that those who would trade liberty for a little bit of temporary security deserve neither. This is the path we are now racing down, with American flags fluttering."-- Tim May, on events following 9/11/2001
participants (1)
-
Tim May