Security-by-credential or security-by-inspection

Trei, Peter ptrei at rsasecurity.com
Thu Nov 8 12:58:04 PST 2001 

> Tim May[SMTP:tcmay at got.net] wrote
> 
> The confusion "Nomen Nescio" shows in thinking that an is-a-person 
> government tracking system fixes the airline security problem is common 
> these days. It's the same confusion that causes many to think national 
> I.D. cards will fix current pressing problems. They won't.
> 
> This is the same "security ticket" problem that shows up in computer 
> security with malicious actors obtaining passwords or other access 
> permissions.
> 
> The time-honored alternative for airline security, and many other types 
> of security, is to not rely on permission slips or identity credentials. 
> Rather, it is to PHYSICALLY inspect.
> 
> Think of this a "capability," in OS/KeyKOS/E language terms. Instead of 
> some security or identity credential, a direct determination that an 
> object (passenger) can only have certain kinds of access and property 
> combinations ("no bombs allowed with passenger"). The way to ensure that 
> an object or agent does not go outside certain bounds (e.g., to erase or 
> overwrite files) is not to trust some issuer of a credential from afar 
> but to require specific allocation of access rights in the object or 
> actor itself. (This is not meant to be the most concise or elegant 
> phrasing of what capabilities are. Cf. the usual sources, includinging 
> Hardy, Tenenbaum, Miller, etc.)
> 
	[good stuff deleted]

I've been thinking along these lines myself - Tim got to the post
first.

There are two points I'd like to make.

1. The reasons which are publicly aired for installing the current
'security' regime are (in my considered opinion) NOT the 
actually reasons.

US airlines insisting on IDs which match tickets has nothing to 
do with airline security, and everything to do with extracting as
much cash as possible from the public.

Before the Pan Am 800 accident, when people were freeer, there
was a secondary market in airline tickets which the original 
purchasers could not, for one reason or another, use. If you
bought a non-refundable return ticket, and then could not
use it, you could sell it to someone who did want to travel
on those dates to that location. The price varied, but was
less than the cost to the repurchaser of buying a ticket from
the airline.

Due to the vast cost differential (up to 10:1) between the cost
of a ticket to fly tomorrow, vs the cost of a 'two week advance,
stay Saturday night' Supersaver, it was actually economic for
large corporations to buy a steady supply of Supersavers, and
hand them out in pairs to execs who had to make quick trips -
it was cheaper to eat the cost of the unused whole or half
tickets than to buy them only when they were needed.

The airlines hated this. The 'you must have a government id
which matches the name on the ticket' rule put an end to
the fungibility of airline tickets, which boosted their bottom
line.

It's got nothing to do with security.

-----------

2. The capability vs credential argument runs all through
security. For example: Signed ActiveX code is using the
credential model, while the Java sandbox uses the capability
model.

Another: 'Trust us not to look at your email without a warrant' 
is the credential model. 'Encrypt your email so they cant look
at it' is the capability model.

Techies tend to prefer the capability model over the credential
model - it not only works, but can be seen to work, and does
not rely on trust. Institutions prefer that people use the 
credential model, since that allows them to change the rules 
at the drop of a hat.  

You can imagine applying the two models to airline passengers,
both of which would act to reduce the frequency of security 
problems:

1. Capability model: You don't need to have ID at all, you can
pay cash on the plane (as I used to do on People Express)
but you'll get searched up the wazoo, and everything down to
a too-sharp pencil confiscated.

2. Credential model: You can take your Glock on board,
provided it's loaded with frangible bullets. However you'll 
have to have biometricaly enabled ID from the NRA certifying
that you've taken the 'Guns on Planes' course, a signed
affadavit from a psychiatrist saying you're sane and not
overly excitable, and a note from Mom saying you can.

Both are better from a security point of view than having 
unidentified armed people on board.

Always remember: The *stated* reason an institution puts
a restrictive policy is put in place do not necessarily 
have anything to do with the *actual* reason the institution
wants to put it in place.

Peter Trei

More information about the cypherpunks-legacy mailing list