From the IDWorkshop mailing list.

There seems to be a lot of activity at the moment around government driven
identity schemes. In the last few days, I've seen a report on Californian
limitations on rfid based cards. But being a Brit what really interests me is the
UK proposals. This has been given a kick by the recent atrocities. And not all in
favour of the ID cards. Even the Home Secretary has admitted on TV that ID cards
and ID systems would not have made any difference.

These are particularly interesting.

One aspect I find fascinating is the problems they are having deciding where the
source of all subsequent trust comes from. What they are falling back on is that
the whole house of cards rests on the integrity and accuracy of the National
Identity Register which is the underlying database. But they are using security by
obscurity (or simple political spin) to avoid explaining how this integrity is
maintained. As El Reg so eloquently puts it.

"Effectively, it's a system which by design puts all of its eggs in one basket,
and is dependent on that basket being made impregnable via measures which the
Government will never reveal or discuss. Trust us..."

This reminds me of the problems and process obtaining SSL Certs from the major
Cert suppliers. All they were ever really proving was that whoever ordered the
Cert could work a fax machine. But having done that the Cert could then be used to
verify the identity of the holder. So IMHO, the whole trust tree surrounding web
certs rests on a dubious premise and really just looks like a mechanism for
charging fees. This doesn't stop SSL working, but it does limit it's usefulness.

I can understand how PGP's web of trust works. What I can't understand is how any
tree structured ID trust system can work. It feels like "turtles all the way
down". Eventually you get to some body that claims ultimate accuracy. But in the
real world, they can't.

Back to politics, while this is happening, two pledges have started
I will refuse to register for an ID card and will donate £10 to a legal defence
fund but only if 10000 other people will also make this same pledge. 10724 people
have signed
"I will actively support those people who, on behalf of all of us*, refuse to
register for an ID card, and I pledge to pay at least £20 into a fighting fund for
them but only if 50000 other people will too."
A mere 190 signatures.

[ << Why is digital rights important ] [ Government Identity Part II >> ]
[ 29-Jul-05 10:06am ] [ ]