In todays world, where we all talk so much about identity management, identity theft and security, we get blindsided by the framework that dictates the workflow. We all have our arguments and justifications of how identity management can enable security and also inadvertently lower the risk of identity theft.
has a very nice post on identity problems
. Sara Gates
have a nicer one on "accelerate without fear
", Robin Wilton
has one on "identity fraud, not as we know it
". All said and done, there's also the much talked about infocard
, and Microsofts definitions of the "Laws Of Identity
I was reading between Sara Gates response
to Dave Kearns post on Identity Theft
. when I stumbled on Kim Camerons
post on "Identity Information Theft versus Identity Theft
But hey !! hold on a second here... I just didnt get Dave
's point... Dave
goes on to say
Data breaches are a security concern, just as are stolen laptops (some of which hold identity data). But, so far, none have been shown to lead to identity fraud. There are few if any cases in which identity data was deliberately stolen in an online transaction.
in a post titled "How real is the threat of ID theft when holiday shopping online
?" is he kidding by saying "There are few if any cases in which identity data was deliberately stolen in an online transaction"
Yes, The Holiday shopping period can be considered "approached" rather than "soon approaching". I have found myself shopping online like crazy... AND THEN !! I read Dave Mathews
on "Man In The Middle Attack
". Hey SSL
is good and thats what I
relied on all this while when I shopped online... SSL specifications
were initially drafted by Netscape
, & the Sun-Netscape Alliance released the PKI Library Source Code
to the community on 2000. Microsoft adopted it too (someone correct me if i'm wrong here)
and Internet Explorer was built to support HTTPS transport
Well but after hearing the Dave Mathews
on "Man In The Middle Attack
", I am a bit reluctant to use Internet Explorer
without being 100% sure of the security that the application itself provides me with.
So: Is Identity Theft all about ensuring the authenticity of the "user/consumer". What about the Applications and Sevice Providers and their
authenticity ?. Should it not be a two way trust? I understand the fact that service providers need to ensure that the user is who he/she claims to be, but at the same time I believe that the user also needs to be able to trust the service provider and the transport layer in between. What IF
I inadvertently provide my "valid" credentials to some I believe to be a
service provider ? Well, it's the "Man In The Middle
" that I'm worried about. Identity Management frameworks today are all about protecting the interests of the "service providers". But what about us the consumers? has anyone given a thought to that ?
had made an announcement
being the Microsoft preferred vendor for extending Microsoft management technologies to Unix, Linux, and Macintosh systems. HEY !!! when Microsoft could not get a SSL implementations in Internet Explorer right, would I trust them to do "Identity Management
" ? and that too with Active Directory as the backend
What IS clear is that Microsoft bought one of the first "metadirectory" companies (Zoomit) and is using their technology bits to build interfaces between Active Directory and the rest of the world.
HEY !! Didnt Kim Cameron come with it ::no offense Kim.
? (hint: remember: sun bought innosoft, and I believe that innosoft was also a forerunner in the "metadirectory" space.)
Didnt Kim Cameron
propose the Identity Metasystem
SO: Is the Identity Metasystem based on an Active Directory
backbone and Internet Explorer Integration in mind ? (I'm not theorizing a conspiracy or anything here... I'm just thinking out loud)
WOW !! I'm already SO lost in my OWN POST.... (I need a technical writer to help me I guess...)
But however, my basic point is... WHO DO I TRUST ?
YOU TRUSTING ME COMES LATER....
If I had the assurance that the service provider I was interfacing withg was using a SECURE COMPUTING
structure and/or framework, I'd be more trusting of the vendor/service provider i'd deal with... (hint hint hint... see Sun's Suite Of Security Products...)