Information Security News
mailing list archives
Re: Info Security 'Teachers' Need More Learning
From: InfoSec News <isn () c4i org>
Date: Wed, 17 Oct 2001 03:08:20 -0500 (CDT)
Forwarded from: JohnE37179 () aol com
In a message dated 10/15/01 4:02:54 PM, isn () c4i org writes:
<< privacy professionals appear unable to put the security and
privacy to-dos in the proper context for people who manage
sensitive information. Why? Security people have never been known
Says who? >>
It seems to me that the "security experts" have consistently confused
identification with authentication. All of the existing authentication
technologies can be easily utilized to perpetrate identity frauds. In
fact, they all enable identity frauds. There are three distinctly
separate functions that are often overlooked.
Identification: identifying someone's name (not simply accepting what
you are told is someone's name). This is a very difficult process and
the simple excuse is that this is a wet brain problem not suitable for
the digital world. This is not true. Identifying a device or a thing
or a password is not Identifying a person or user.
Recognition: Have I seen this person before, whether or not I know his
name. Biometrics do this well.
Authentication: After being certain of a person's real identity (not
necessarily the one he gives me) I can allow him an encryption key,
PKI, enroll him with a biometric or password.
All three functions must be performed for user security to exist.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.