Forwarded from: JohnE37179at_private In a message dated 10/15/01 4:02:54 PM, isnat_private writes: << privacy professionals appear unable to put the security and > privacy to-dos in the proper context for people who manage > sensitive information. Why? Security people have never been known > to distinguish Says who? >> It seems to me that the "security experts" have consistently confused identification with authentication. All of the existing authentication technologies can be easily utilized to perpetrate identity frauds. In fact, they all enable identity frauds. There are three distinctly separate functions that are often overlooked. Identification: identifying someone's name (not simply accepting what you are told is someone's name). This is a very difficult process and the simple excuse is that this is a wet brain problem not suitable for the digital world. This is not true. Identifying a device or a thing or a password is not Identifying a person or user. Recognition: Have I seen this person before, whether or not I know his name. Biometrics do this well. Authentication: After being certain of a person's real identity (not necessarily the one he gives me) I can allow him an encryption key, PKI, enroll him with a biometric or password. All three functions must be performed for user security to exist. John Ellingson CEO Edentification, Inc. ||||# |||||| |||||| - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 04:17:22 PDT