The higher value certificates proposed for InfoCard - and for the IE 7 phishing filter, and which other browser developers are evaluation - are one attempt to improve on devaluaed certificates. The lock in the IE status bar tells you nothing about the site you're connecting to, just that you've got a nice secure connection to whatever it happens to be. The plans for the high -security SLL certificates are that a business might have to supply the history of their company bank account, they might need to give a power of attorney to say that John Smith in the web development team is allowed to apply on behalf of the bank. The idea is not to rely so much on trusting the registrars as on having a trusted and secure process. And once there are higher-security certificates we'll need to expect businesses to get them or give us consumers a good reason why they haven't.

One problem with using PKI certificates is that they don't allow anonymity; one area both InfoCard and Higgins want to support. As Paul Trevithick puts it, "if we use today's certificates we'll build a digital wake that leads back to the poster". PKI certificates give everybody an id that's technically secure - but they don't give us much help with limiting the information we disclose. And certainly, they're not accessible to the average naive user. Nick and I could probably find someone in between us who we both trust enough to certify our reputations. But with the identity metasystem we could use the eBay, Amazon or Slashdot reputations we've acquired as identities.

And because the identity metasystem interconnects identity systems rather than replacing them, if you want to interact with PKI certificates to allow access to your site, you could do it with an STS. The identity metasystem will give sites more of a choice of identity providers; a site can accept Open IDs or NetMesh InfoGrid LIDs or PKI certificates or all of the above without having to code up for them all individually. Abstracting what an identity is from who certifies it makes identity far more flexible and useful. Verisign is signing up for it - but they don't have to be the identity provider we all use.

Mary Branscombe did a first rate job of figuring out and communicating what InfoCards are intended to do and how they work. I want to thank her.

I agree that it would be nice to have PGP support for InfoCard. I ran into a number of my old friends from PGP at a couple of conferences recently and we have scheduled a meeting to brainstorm moving this forward.

One of the design goals we achieved in the InfoCard architecture is complete openness with respect to the format of security tokens. So PGP encodings can be used basically unchanged between InfoCard "Identity Providers" and "Relying Parties" (e.g. web sites), and don't have to be dressed up in X.509 or SAML uniforms, as someone once put it! (Not to diss these formats either!)

In terms of high assurance certs, it's worth looking at the reports of the Anti Phishing Working group such as http://www.antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf. You'll see that 90% of phishing attacks take place against the financial sector. We need ways of giving people better mechanisms for discovering that scammers are at work. High assurance certificates require the certifying body to do real due diligence about a web site's claims - and to assume a fiduciary responsibity for getting it right. I don't think anyone can be against this.

On the other hand, the world, as you know, is not actually one-size-fits-all, and such extended due diligence isn't warranted for everyone who wants to assert an identity on the web. Conventional certificates work pretty well for "the long tail" of web sites and blogs. They don't cost much either.

You could (and will) have other mechanisms for providing reputation that aren't based on certificates at all. InfoCards in fact make put it within the reach of any professional association to issue "reputation" claims about a subject. They could well operate such reputational identity providers, as they often do in the brick world.

In fact, I've seen proof of concepts where people are building these things today.

So moving up a level, I agree with much of what is being said here, and urge you to look at InfoCards as a way of enabling precisely the things you are talking about. Above all, consider the fact that the technology is open to any identity and security technology - and your interest in PGP should lead you to understand why this is so important.

For more information on these matters, and to follow they way they evolve, I invite your readers to check out http://www.identityblog.com.

I love the Register,

Kim

I think (I may be wrong) that the latin 'Quis custodiet ipsos Custodies' means "Who watches the watchmen" or "Who guards the guards" and er, not 'who keeps an eye on the guardians' not even in a loose translation. Juvenal of me to bring it up I know..... :O)

Apart from that a nice piece....

Yes, my translation is "cod Latin" (or cod translation) - I did google the correct translation first (you are right, airi, but I hated Latin at school) and I was fishing for Mary Branscombe (who has really studied Latin) to CaRP. But at least someone noticed <grin>

Nice to see you here and good comments - thanks. Just one small point - I'm much more worried about fraud and identity theft (I used to be in internal control in a large bank) than hacking.

I see your point when you say "such extended due diligence isn't warranted for everyone who wants to assert an identity on the web" but I'm not sure I agree (although implementation is an issue). Surely, "identity" is a "yes/no" thing?

I am, absolutely, who I say I am; or I'm not. If an extended due diligence "david norfolk" identity can be floating around at the same time as "david norfolk" based on an unwarranted assertion, a fraudster, it seems to me, can convince a victim that the weak id is actually the strong id and impersonate me. It's what they do and it could break the trust in "identity" that we need...

Weak identities, such as micky-mouse passwords for every commercial website, tend to devalue the identity concept as a whole, IMHO. Not just technically (that might be addressable), but socially/culturally...

Given the mastery of Cod Latin demonstrated on these pages, many must have studied the other philosophic and scientific arts as well, so I am loath to intervene except en passant. Unfortunately, however, this won't stop me.

I don't think it is reasonable to expect a person to present an identity which reveals a lot about themselves in order to be able to read, for example, the Register. And in fact, to your credit, you don't. Similarly, in order to post a comment to the Register, readers simply have to demonstrate they own the email address they say they own. Due diligence of some sort is done - but not at a very deep level. I doubt you would ask us for our social insurance numbers or passport numbers before you let us post - and if you did, I doubt we would turn them over.

All this just to say that the kind of "due diligence" and even linkage to a real world identity that is appropriate in any given context is very much a product of the requirements of the moment and the relationships in play.

Certainly, there are contexts in which we, as individuals, require the very strongest forms of identity. This implies strong proofing and strong cryptography.

However, I don't accept the implication that every internet site should then adopt the security procedures and processes essential to top assurance sites such as the large banks you are talking about. It's the don't-cry-wolf problem. For one thing, people just won't do it. They won't understand how the processes serve their self-interest, and will not play. I've never seen this approach to security issues succeed.

So, we need to support identities and mechanisms appropriate to a number of different contexts.

This being said, more than anyone else on the planet, I despise passwords, and agree with you we should work for their abolition. That's what my InfoCard work is all about.

David, as an influential person well versed in security who can really help alter the equations around identity, I hope you will support those of us who are trying to innovate in a number of ways, but don't think the right thing to do is tell the world to throw out the whole conventional https infrastrucure. We need a bunch of mechanisms, and to let the more effective ones win out over time.

High assurance certs, as inperfect as they might be, are one new mechanism; but above all, there are the identity metasystem and visualization components, together allowing new forms of reputation animated from the bottom up and through organic association.

I do not think there is a lot of disagreement between what we are each attempting to achieve. I hope we can work on this together going forward.

Kim - "I do not think there is a lot of disagreement between what we are each attempting to achieve" - no indeed - and you're actually helping to build it, I'm just commenting.

I dislike passwords too - but they're not much different to a signature, as long as we stop believing that a "strong password" actually means "strong identity" in practice - any more than we believed that anyone actually checked our credit card signature very carefully.

And no, I really don't want El Reg to ask for retinal scans before people can post here (as an aside, I believe that affordable, commodity, biometrics aren't usually foolproof anyway - I think a jelly finger can fool PC fingerprint readers, eg).

What I want is something more like real-world identity. I meet you, I assume that you are who you say you are, with an informal check via context (if I meet you at a Microsoft Press Conference I'll be more confident than if I meet you at a Wiltshire pub); if I need to send you money, then I'll dig further.

So, for this Blog exchange, weak identity is good enough. If we now enter a business relationship (journalist - Microsoft employee, well dodgy <g>) I don't want to switch to a different high-assurance identity system and possibly advertise that I'm doing business with Microsoft <g>, I want to dig deeper into a net of IDs - are you the Kim at the conference Mary was at, do you actually work for Microsoft on the payroll or are you simply consulting, have you written the books and articles authored by "Kim Cameron", are you on the electoral roll for your town - and eventually, if it's serious enough, will your bank or government vouch for your Identity - and guarantee the transaction. The point is, that it is mostly public domain stuff and I stop as soon as I'm satisfied, for my purposes.

If I have automated assistance, a machine might notice patterns associated with building a fake identity and suggest further unusual correlations to check - adaptive id checking. Mostly, id checking would stop quickly, when it reached something I trusted, in the context of what I was trying to do.

Any one of these bits of ID you can fake but faking the whole web would be difficult, as you don't know what checks I'd make - and there isn't one point of ID for a fraudster to attack. Of course, you really do need process and technology to facilitate this - and a good underlying model.

This make any sort of sense? It seems to fit with what you say: "there are the identity metasystem and visualization components, together allowing new forms of reputation animated from the bottom up and through organic association".

"I hope we can work on this together going forward" - I'm sure we can, but UK journalists are supposed to question (ie "test") everything, even when we are in basic agreement with it...

It strikes me that what I've just posted might look inconsistent with my previous comment. Perhaps I didn't express it well in my earlier post - one of the problems with blogging as opposed to face-to-face discussion or formal article-writing!

I don't like institutionalised "weak identities" such as mickey-mouse passwords with zero due-diligence - but providing a less-assured ID as part of an ID system which lets you add assurance reliably, as and when it becomes sensible to do so, isn't "weak identity" in my book.