Re: [ISN] Info Security 'Teachers' Need More Learning

From: InfoSec News (isnat_private)
Date: Wed Oct 17 2001 - 01:08:20 PDT

  • Next message: William Knowles: "[ISN] Cellphones versus box-cutters"

    Forwarded from: JohnE37179at_private
    In a message dated 10/15/01 4:02:54 PM, isnat_private writes:
    << privacy professionals appear unable to put the security and
    > privacy to-dos in the proper context for people who manage
    > sensitive information. Why? Security people have never been known
    > to distinguish
    Says who?  >>
    It seems to me that the "security experts" have consistently confused
    identification with authentication. All of the existing authentication
    technologies can be easily utilized to perpetrate identity frauds. In
    fact, they all enable identity frauds. There are three distinctly
    separate functions that are often overlooked.
    Identification: identifying someone's name (not simply accepting what
    you are told is someone's name). This is a very difficult process and
    the simple excuse is that this is a wet brain problem not suitable for
    the digital world. This is not true. Identifying a device or a thing
    or a password is not Identifying a person or user.
    Recognition: Have I seen this person before, whether or not I know his
    name.  Biometrics do this well.
    Authentication: After being certain of a person's real identity (not
    necessarily the one he gives me) I can allow him an encryption key,
    PKI, enroll him with a biometric or password.
    All three functions must be performed for user security to exist.
    John Ellingson
    Edentification, Inc.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 04:17:22 PDT