Greg Jorgensen wrote: > Crispin Cowan wrote: > >> The State may not have jurisdiction over SSC's, but it can have >> jurisdiction over what kind of authentication various state-regulated >> and state-operated orgs use. For instance, it would be easy for the >> State to outlaw any state agency using SSC's for authentication. > > Hmmm... I'm not so sure. For purposes of taxation the various state > tax agencies are so hooked into the IRS that they probably can't > extricate themselves. But states could legislate on their own use of > SSCs and leave tax collection as an exception. But we don't have to get the State off SSC's; we just have to get them to stop using SSC's as authenticators. SSC's are guaranteed globally unique, which makes them fine identifiers. > As I mentioned before the Federal Privacy Act appears to establish > some Federal jurisdiction over identity number systems and privacy of > personal records. State laws would have to fit into that framework, > and with other Federal laws that address privacy and the use of > identification systems. Do these laws actually speak to the issue of authenticators? > Do we really want privacy laws written at the state level, though? No, not really. It just so happens that the state guy is listening this week. The ideal place to do this is at the Federal level. > For comparison, state-by-state anti-spamming laws work to some degree, Really? I thought they were pretty much a joke. The major impact of state spam laws is that about 2% of the spam I get has a list of states with anti-spam laws that says "this message not intended for residents of ..." as if that made any difference. > I think Federal legislation with some teeth might make more sense. > Federal legislation could limit the Federal government's abuses of > privacy, and at least set a minimum level for parallel state laws. > State-level legislation would serve mainly to limit that state's own > use and abuse, and to provide for state-level enforcement (because > dragging a state government into Federal court is not a practical > solution for most plaintiffs). The neat thing about my Swiftian proposal is that it doesn't actually require any laws. It just says "We are going to devistate this despicable practice on this date ..." and watch people scramble. There's no way to stop it, short of legal prohibition against the publication. Come to think of it, we don't even need the State to do it at all. All it takes is some civil disobedience to publish a web site on an off-shore host that gives out as many SSC's as possible, and make sure it gets a lot of press. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 02:46:15 PDT