Future of the Internet Symposium: Identity
posted by Steven Bellovin
Zittrain’s book mentioned en passant that unlike the closed, proprietary services, the Internet has no authentication; he also suggests that this is tied to the alleged lack of consideration for security by the Internet’s designers. I won’t go into the latter, save to note that I regard it as a calumny; within the limits of the understanding of security 30 years ago, the designers did a pretty good job, because they felt that what was really at risk — the computers attached to the net — needed to protect themselves, and that there was nothing the network could or should do to help. This is in fact deeply related to Zittrain’s thesis about the open nature of the Internet, but I doubt I’ll have time to write that up before this symposium ends.
The question of identity, though, is more interesting; it illustrates how subtle technical design decisions can force certain policy decisions, much along the lines that Lessig set forth in Code. We must start, though, by defining “identity”. What is it, and in particular what is it in an Internet context? Let me rephrase the question: who are you? A name? A reputation? A fingerprint? Some DNA? A “soul”?
Tolkien probably expressed the dilemma best in a conversation between Frodo and Tom Bombadil in Lord of the Rings:
‘Who are you, Master?’ he asked.
‘Eh, what?’ said Tom sitting up, and his eyes glinting in the gloom. ‘Don’t you know my name yet? That’s the only answer. Tell me, who are you, alone, yourself and nameless?
We are, in some sense, our names, with all the baggage appertaining thereto. For some web sites, you can pick an arbitrary name and no one will know or care if it’s your legal name. For other purposes, though, you’re asked to prove your identity, perhaps via the oft-requested “government-issued photo ID”. In other words, we have a second player: an authority who vouches for someone’s name. This authority has to be mutually trusted — I’m not going to prove my identity to Mafia, Inc., by giving them my social security number, birthdate, etc., and you’re not likely to believe what they say. Who is trusted will vary, depending on the circumstances; a passport issued by the government of Elbonia might be sufficient to enter the US, but MI-6 would not accept such a document even if it were in the name of James Bond. This brings up the third player: the acceptor or verifier.
When dealing with closed, proprietary networks, the vouching authority and the acceptor are one and the same. More to the point, the resources you are accessing all belong to the verifier. The Internet, though, is inherently decentralized. It is literally a “network of networks”; no one party controls them all. Furthermore, the resource of most interest — end-systems — may belong to people who don’t own any networks; they just buy connectivity from someone else. Who are the verifiers?
A biometric — fingerprints, DNA, retina prints, even “soul prints” — doesn’t help over the net. The verifier simply sees a string of bits; it has no knowledge of where they’re from. You may authenticate yourself to a local device via a biometric, but it in turn will just send bits upstream.
Because of the decentralized nature, there is no one verifying party. I somehow have to authenticate to my ISP. In dial-up days, this was done when I connected to the network; today, it’s done by physical connection (e.g., the DSL wire to your house) or at network log-in time in WiFi hotspots. My packets, though, will traverse very many networks on the way to their destination. Must each of them be a verifier? I can’t even tell a priori what networks my packets will use (see the previous discussion on interconnection agreements); I certainly don’t have business relationships with them, nor do I know whom they will consider acceptable identity vouchers.
This isn’t just a performance issue, though I should note that verifying every packet in the core of the Internet was well beyond the state of the art 30 years ago, and may still be impossible. It is an architectural limitation, stemming from the decision in the late 1970s to avoid a centrally-controlled core.
The design of the Internet dictates that you are only strongly authenticated to your local host or site. Anything beyond that is either taken on faith or is done by end-to-end authentication. That, though, it exactly how the Internet was designed to operate, and it doesn’t assume that any two parties even have the same notion of identity. My identity on my phone is a phone number; my login on my computers is “smb”; my university thinks I’m smb2132; Concurring Opinions knows me by my full name. Which is correct? Any and all — the Internet is too decentralized for any one notion of identity. Had the designers created a more centralized network, you might indeed able to authenticate to the core. But there is no core, with all of the consequences, good and bad, that that implies.
(This is my last post of the symposium. I’ll be offline for a few days; when I come back online, I may add a few comments. I’ve very much enjoyed participating.)
September 8, 2010 at 7:03 pm
Posted in: Symposium (Future of Internet)
Print This Post
Leave a Reply