Security-by-credential or security-by-inspection

Tim May tcmay at got.net
Thu Nov 8 14:22:39 PST 2001


Greg Broiles and Peter Trei both make excellent points. I kind of regret 
not spending an hour or so writing a more complete essay. But I wanted 
to get some of the ideas out, mainly to refute the wrong-headed ideas 
floating around from folks as diverse as John Ashcroft and Nomen 
Whatever.

Fact is, we have gone down the "is-a-person" route, and the crypto 
literature is filled with some good discussions, mainly back in the mid- 
to late-80s. (See Crypto proceedings for papers by Micali, Fiat, Shamir, 
and others on "is-a-person" issues. Note especially the vexing problem 
of what happens when some states (Libya, the United States) issue false 
credentials.

(Think of what is-a-person means for states which issue fake 
credentials, a la the Witness Security Program, agents of various kinds, 
etc. A t.v. show I like, one of the crop of several such shows 
(including UC: Undercover, Alias, and 24) is "The Agency." It shows an 
impressive faking department at work, generating flawless passports, 
flawless travel documents, excellent "legends," etc. There is no reason 
to believe that WTC attackers could not have similar state-issued 
credentials, nor is there reason to believe that private actors cannot 
generate similar credentials. This is well-known in the biometric 
security community, and was well-known several decades ago....remember 
the scene in "Thunderball" where the guy's eyeballs are taken out to 
gain access to nukes?)

The security-by-credential vs. security-by-inspection (capability, 
direct verification) debate is something which should be getting much 
more attention. Alas, it is "too obscure" for politicians and legal 
types...it has taken them a couple of decades to begin to absorb the 
concept of digital signatures.

But there is no excuse for all of the careless thought here on this list 
(and other lists) such as we have seen from some.

A few comments:

On Thursday, November 8, 2001, at 12:58 PM, Trei, Peter wrote:
>
> I've been thinking along these lines myself - Tim got to the post
> first.


Like I said, it needs a full-blown article. All I had the time and 
energy to do was to throw some basic points out.

> There are two points I'd like to make.
>
> 1. The reasons which are publicly aired for installing the current
> 'security' regime are (in my considered opinion) NOT the
> actually reasons.
>
> US airlines insisting on IDs which match tickets has nothing to
> do with airline security, and everything to do with extracting as
> much cash as possible from the public.

> ...

> Due to the vast cost differential (up to 10:1) between the cost
> of a ticket to fly tomorrow, vs the cost of a 'two week advance,
> The airlines hated this. The 'you must have a government id
> which matches the name on the ticket' rule put an end to
> the fungibility of airline tickets, which boosted their bottom
> line.

Indeed, they leapt on "mandatory ID" with great enthusiasm.

Without it being mandatory, without this market distortion, then of 
course some airlines might have (and did) required government identity 
credentials and some airlines might not have. Indeed, many did not. 
There's no evidence that airline security was any lower in those days. 
In fact, the 911 attack happened _after_ the ID regimen, and Atta and 
others all had government-granted IDs. Q.E.D.

Anyway, when the government mandated ID, thus distorting the market, the 
airlines no longer had to "compete" on the basis of their policies.  The 
result is as Peter said: increased overall costs to business (with 
increased profits, for a while) to the airlines.

(Longterm, it may be that corporations are travelling less. Given a 
choice between buying a ticket between Chicago and St. Louis for $1000, 
the going no-notice travel rate, and having a pool of cheaper tickets to 
use, this may have something to do with a decline in business travel. 
It's got to be one of the contributing factors.)
>
> 2. The capability vs credential argument runs all through
> security. For example: Signed ActiveX code is using the
> credential model, while the Java sandbox uses the capability
> model.
>
> Another: 'Trust us not to look at your email without a warrant'
> is the credential model. 'Encrypt your email so they cant look
> at it' is the capability model.

A good insight. I hadn't been thinking of encryption in terms of the 
capability model, but it may fit the model. I'll have to think about 
this some more.

I tend to think of encryption as being "objects carrying their own 
protection."  Though giving another actor a key is thus like giving them 
a capability to access the object, so I suspect your model is correct.


>
> Techies tend to prefer the capability model over the credential
> model - it not only works, but can be seen to work, and does
> not rely on trust. Institutions prefer that people use the
> credential model, since that allows them to change the rules
> at the drop of a hat.

Yes, local behavior. Objects, contracts, local enforcement, distributed 
control, redundancy, non-hierarchical, information-hiding. Many  of us 
believe this is a reason so many software people are libertarians.
>

> You can imagine applying the two models to airline passengers,
> both of which would act to reduce the frequency of security
> problems:
>
> 1. Capability model: You don't need to have ID at all, you can
> pay cash on the plane (as I used to do on People Express)
> but you'll get searched up the wazoo, and everything down to
> a too-sharp pencil confiscated.

This works because security is dependent on the dangers actually 
_carried_ by the passenger.

(This does not apply as well to, say, Presidential security, because an 
actor (an agent, not a Reagan) may carry deadly capabilities in--to use 
the hackneyed expression--his bare hands.)
> 2. Credential model: You can take your Glock on board,
> provided it's loaded with frangible bullets. However you'll
> have to have biometricaly enabled ID from the NRA certifying
> that you've taken the 'Guns on Planes' course, a signed
> affadavit from a psychiatrist saying you're sane and not
> overly excitable, and a note from Mom saying you can.
>
> Both are better from a security point of view than having
> unidentified armed people on board.

And the fallacy people like Nomen Nescio have been making is to assume 
that "not requiring ID" means there are no other ways to get security.

In fact, of the two options above, I'd rather travel under #1. Given how 
easily credentials may be faked, given the fact that credentials don't 
imply trustworthiness, given a lot of other factors, the presence of a 
credential is not very convincing.

As I mentioned in my post, there are private travel companies (like 
FlexJet) which carry VIPs and execs and people they have come to trust. 
"Know your passenger" works...always has. Not perfectly, but better than 
most alternatives.

Note for Nomen: This is NOT a call for the FAA to adopt some 
bureaucratic "know your passenger" policy, akin to "know your customer" 
rules for banks. ("Know your customer" rules for banks are also bogus, 
but this is another issue. A good toic to think about.)

Regrettably, these interesting debates are completely orthogonal to the 
banal debates actually going on in America.


--Tim May
"Ben Franklin warned us that those who would trade liberty for a little 
bit of temporary security deserve neither. This is the path we are now 
racing down, with American flags fluttering."-- Tim May, on events 
following 9/11/2001





More information about the cypherpunks-legacy mailing list