Re: [Auth]Greetings...

[John Pugh]

Zero Knowledge implemented a system that is identical to Novell's Digitalme. 
With Digitalme a user can have multiple identities and choose who see's what 
information, if any.

It provides all this thru a directory called eDirectory. The directory has all 
the methods mentioned in earlier threads that allows for multiple auth methods 
and already has fault tolerance, replication and is built on multiple open 
standards.

The one thing I'm seeing with this effort is that one thing is missing. The 
foundation for any effort such as this is a directory. A database can be 
modified to provide some capabilities of a true directory service, but it will 
never be optimized and as complete as a directory...no matter how many people 
put time into creating it. Novell's eDirectory already has what you are 
attempting to create from a database. It is already optimized for reading 
information, has self management capabilities built-in, has multiple 
authentication methods as well as fault tolerance thru replication.

What's missing is the personal aspect. What's needed is the ability to have a 
personal directory and choose what, if anything, you want others to see. This 
aspect is what is missing from those ventures such as liberty and passport (and 
digitalme...for now).

So ".Net" is pretty useless...we've seen that. dotgnu is the effort that needs 
to look at the personal side since the biz side is fairly wrapped up and it 
must look at the integration side since there is NO one system that can do the 
complete job.

JP

>>> Mike Warren <address@hidden> 10/19/01 04:04PM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I just joined this list and haven't seen any traffic yet, so this is
sort of a test ;)

I am interested in seeing a system like that implemented (and recently
discontinued) by Zero Knolwedge (see http://opensource.zeroknowledge.com for
some code).

Basically, it allowed one to create anonymous identities (they called
these ``Nyms''). These were used with the rest of their system, mostly
for encrypted email. The interesting aspects of their system:

. there was an untraceable way to purchase Nyms via a ``nym-token'' sort
  of digital cash -- one bought some nym tokens with a credit card or
  cash and then later redeemed these tokens for a Nym (or whatever else
  one could buy with the nym-tokens).

. It was not possible to determine who owned which Nym, nor where the
  person using a Nym was on the network. ZK maintained a system of
  servers (freedon.net) to accomplish this. The code for these servers
  is GPL.

I think the ZK system would mesh well with what I understand the goals
of DotGNU (specially the Virtual Identities stuff) to be. On the
free-developers list, I proposed an authentication system modeled
after the ZK freedom network.

For those who haven't read those posts, briefly:

. multiple authorities could issue identity certificates

. each user would typically have lots of different identification
  certificates, each reflecting a different amount of information
  revealed (i.e. one might contain just a name, one might also have an
  address, one might also have a credit card).

. DotGNU-services companies would decide how much they trust each
  certificate-issuing authority.

. DotGNU-service providers would obtain information about users
  through their certificates. A DotGNU provider would never have to
  maintain personal information in a database. (If the service-provider
  needs information about subscribed users [i.e. a login-id], then the
  service provider issues their own certificate to the user with such
  information; then they must only keep a database of valid login-ids).

. certificates would be encrypted.

. users have much choice: they could issue themselves certificates for
  use where providers don't need a trusted provider, or choose to get a
  certificate from a highly-trusted provider. For example, the FSF might
  be a certificate-provider which has some method of showing that users
  are who they say they are (perhaps via a small credit-card
  transaction system like PayPal uses).

This addresses the following goals of DotGNU:

. users' have sole control over how much information they provide

. providers can insist on verified information, if they like. This
  gives service-providers a lot of confidence in their transaction, and
  would allow for, for example, anonymous users paying via credit
  card. How?  A trusted-certificate provider -- after verifying a
  particular user is who they say they are -- could issue a sort of
  digital-cash token which could be redeemed at the
  service-provider. The service-provider never has to know the true
  identity of the user; they just have to be satisfied that the
  certificate-provider has billed the user correctly. This means users
  would only have to trust ONE authority with their credit-card
  information, instead of trusting everyone with whom they do business.

. such a system might quickly gain ground; it has significant
  advantages over Microsoft's system (anonymity, user-confidence,
  multiple identity providers).

. allows a convenient system for authentication within the DotGNU
  user/provider framework (just the sending of a certificate).

Of course, I've left out many details (which I haven't really fleshed
out myself). I'm not a cryptography expert, but what understanding I
have leads me to believe that such a system could be made workable and
secure.

Best of all, there is existing GPL code for at least part of the
system (the anonymizing-network) and numerous white-papers (at ZK)
outlining security concerns and potential and actual workarounds.


Anyway. This turned out a little longer than I expected ;) A little
about me:

I am a 24-year-old recent comp.sci graduate currently working at a
pipeline company doing leak-detection in Calgary, Alberta. I would be
keen to work on a virtual-identities system if it looks like a Good
Thing.

Cheers,

- -- 
address@hidden 
<URL:http://www.mike-warren.com>
GPG: 0x579911BD :: 87F2 4D98 BDB0 0E90 EE2A  0CF9 1087 0884 5799 11BD


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard 
<http://www.gnupg.org/>

iD8DBQE70KODEIcIhFeZEb0RAgKTAKC1aHDF5Aa1p3SG8l9irb6riet+mgCfWRkq
kphXVtThzS2fr9NRYnAg2+I=
=TT2L
-----END PGP SIGNATURE-----
_______________________________________________
Auth mailing list
address@hidden 
http://subscribe.dotgnu.org/mailman/listinfo/auth