Tim May[SMTP:tcmay@got.net] wrote

The confusion "Nomen Nescio" shows in thinking that an is-a-person government tracking system fixes the airline security problem is common these days. It's the same confusion that causes many to think national I.D. cards will fix current pressing problems. They won't.

This is the same "security ticket" problem that shows up in computer security with malicious actors obtaining passwords or other access permissions.

The time-honored alternative for airline security, and many other types of security, is to not rely on permission slips or identity credentials. Rather, it is to PHYSICALLY inspect.

Think of this a "capability," in OS/KeyKOS/E language terms. Instead of some security or identity credential, a direct determination that an object (passenger) can only have certain kinds of access and property combinations ("no bombs allowed with passenger"). The way to ensure that an object or agent does not go outside certain bounds (e.g., to erase or overwrite files) is not to trust some issuer of a credential from afar but to require specific allocation of access rights in the object or actor itself. (This is not meant to be the most concise or elegant phrasing of what capabilities are. Cf. the usual sources, includinging Hardy, Tenenbaum, Miller, etc.)

[good stuff deleted] I've been thinking along these lines myself - Tim got to the post first. There are two points I'd like to make. 1. The reasons which are publicly aired for installing the current 'security' regime are (in my considered opinion) NOT the actually reasons. US airlines insisting on IDs which match tickets has nothing to do with airline security, and everything to do with extracting as much cash as possible from the public. Before the Pan Am 800 accident, when people were freeer, there was a secondary market in airline tickets which the original purchasers could not, for one reason or another, use. If you bought a non-refundable return ticket, and then could not use it, you could sell it to someone who did want to travel on those dates to that location. The price varied, but was less than the cost to the repurchaser of buying a ticket from the airline. Due to the vast cost differential (up to 10:1) between the cost of a ticket to fly tomorrow, vs the cost of a 'two week advance, stay Saturday night' Supersaver, it was actually economic for large corporations to buy a steady supply of Supersavers, and hand them out in pairs to execs who had to make quick trips - it was cheaper to eat the cost of the unused whole or half tickets than to buy them only when they were needed. The airlines hated this. The 'you must have a government id which matches the name on the ticket' rule put an end to the fungibility of airline tickets, which boosted their bottom line. It's got nothing to do with security. ----------- 2. The capability vs credential argument runs all through security. For example: Signed ActiveX code is using the credential model, while the Java sandbox uses the capability model. Another: 'Trust us not to look at your email without a warrant' is the credential model. 'Encrypt your email so they cant look at it' is the capability model. Techies tend to prefer the capability model over the credential model - it not only works, but can be seen to work, and does not rely on trust. Institutions prefer that people use the credential model, since that allows them to change the rules at the drop of a hat. You can imagine applying the two models to airline passengers, both of which would act to reduce the frequency of security problems: 1. Capability model: You don't need to have ID at all, you can pay cash on the plane (as I used to do on People Express) but you'll get searched up the wazoo, and everything down to a too-sharp pencil confiscated. 2. Credential model: You can take your Glock on board, provided it's loaded with frangible bullets. However you'll have to have biometricaly enabled ID from the NRA certifying that you've taken the 'Guns on Planes' course, a signed affadavit from a psychiatrist saying you're sane and not overly excitable, and a note from Mom saying you can. Both are better from a security point of view than having unidentified armed people on board. Always remember: The *stated* reason an institution puts a restrictive policy is put in place do not necessarily have anything to do with the *actual* reason the institution wants to put it in place. Peter Trei