By Rohan Pinto on Dec 20, 2005
In todays world, where we all talk so much about identity management, identity theft and security, we get blindsided by the framework that dictates the workflow. We all have our arguments and justifications of how identity management can enable security and also inadvertently lower the risk of identity theft.
Mark Dixon has a very nice post on identity problems. Sara Gates have a nicer one on "accelerate without fear", Robin Wilton has one on "identity fraud, not as we know it". All said and done, there's also the much talked about infocard, and Microsofts definitions of the "Laws Of Identity".
Data breaches are a security concern, just as are stolen laptops (some of which hold identity data). But, so far, none have been shown to lead to identity fraud. There are few if any cases in which identity data was deliberately stolen in an online transaction.in a post titled "How real is the threat of ID theft when holiday shopping online?" is he kidding by saying "There are few if any cases in which identity data was deliberately stolen in an online transaction"
Yes, The Holiday shopping period can be considered "approached" rather than "soon approaching". I have found myself shopping online like crazy... AND THEN !! I read Dave Mathews, report on "Man In The Middle Attack". Hey SSL is good and thats what I relied on all this while when I shopped online... SSL specifications were initially drafted by Netscape, & the Sun-Netscape Alliance released the PKI Library Source Code to the community on 2000. Microsoft adopted it too (someone correct me if i'm wrong here) and Internet Explorer was built to support HTTPS transport.
Well but after hearing the Dave Mathews, report on "Man In The Middle Attack", I am a bit reluctant to use Internet Explorer without being 100% sure of the security that the application itself provides me with.
So: Is Identity Theft all about ensuring the authenticity of the "user/consumer". What about the Applications and Sevice Providers and their authenticity ?. Should it not be a two way trust? I understand the fact that service providers need to ensure that the user is who he/she claims to be, but at the same time I believe that the user also needs to be able to trust the service provider and the transport layer in between. What IF I inadvertently provide my "valid" credentials to some I believe to be a service provider ? Well, it's the "Man In The Middle" that I'm worried about. Identity Management frameworks today are all about protecting the interests of the "service providers". But what about us the consumers? has anyone given a thought to that ?
Bill Gates had made an announcement about vintela being the Microsoft preferred vendor for extending Microsoft management technologies to Unix, Linux, and Macintosh systems. HEY !!! when Microsoft could not get a SSL implementations in Internet Explorer right, would I trust them to do "Identity Management" ? and that too with Active Directory as the backend ?
What IS clear is that Microsoft bought one of the first "metadirectory" companies (Zoomit) and is using their technology bits to build interfaces between Active Directory and the rest of the world.HEY !! Didnt Kim Cameron come with it ::no offense Kim. ? (hint: remember: sun bought innosoft, and I believe that innosoft was also a forerunner in the "metadirectory" space.)
WOW !! I'm already SO lost in my OWN POST.... (I need a technical writer to help me I guess...)
But however, my basic point is... WHO DO I TRUST ?
YOU TRUSTING ME COMES LATER....
UPDATE :If I had the assurance that the service provider I was interfacing withg was using a SECURE COMPUTING structure and/or framework, I'd be more trusting of the vendor/service provider i'd deal with... (hint hint hint... see Sun's Suite Of Security Products...)