Identity Management is. What is the question? what are risks to mitigate? what are the new risks created by trusting the ID management? what are the new.

Identity Management is

What is the question?

• what are risks to mitigate?• what are the new risks created by

trusting the ID management?• what are the new risks created by

– ID fraud or failure– malicious abuse of ID recovery– denial of service

• You may think you are building one thing but if it works, it will become another

What is the Question?

• Targeted Ads Public Services & Finance

When the Real Merges with the Artificial?

“Identity Providers” Provide

• Fraud prevention & detection• Payment• DRM• Resource allocation• Personalization & price

discrimination• Filtering

Reputations Systems

– Assume strategic behaviors by opponents– Always linked to persistent pseudonym– Low end reputation systems merge with rating

systems•Examples: eBay, slashdot, political blogs, kazaa

– Reputation designs have assumptions about fluidity of community•embeds identity in a community

Bit Torrent

– Swarm downloading– No static reputation– Must upload in order to download– NO assumptions about community

Who Is an ID Provider• Amazon Honor System

• Small payments for web sites not accepting cash• Rollout in the blog and open source communities• Micropayments from pre-established accounts

– Fraud prevention & detection, Payment, Resource allocation– Personalization & price discrimination, Filtering

• FaceBook– Places identity in a community– Available to employers

• martial status, orientation, religion, political interests• cultural indicators• are you one of us?

– Personalization & price discrimination, Filtering, resource allocation?

Rating Systems

• Assume passive acceptance of ratings, active rating parties

• There may be no identity or account information

• Work on “wisdom of crowds” – integration of many low quality signals is better

than a single signal

• Examples: eopinions, Zagats• Web site rating based on shared history and

community behavior

Securing the User: Account Management as Privacy

Service• Series of failed third party payment and

privacy management systems– generate one time credit cards– decrease spam by creating single-merchant emails– protect physical location information– decrease fraud for merchants and subscribers– generate individual credentials

No Single Identity

• Identity systems determine fraud tolerance– any entity with equal or more tolerance will seek

to free ride– any entity with more tolerance will under-invest

in protecting the identifier– identifiers

• free riders• tragedy of the commons• risk shifting

– MySpace

– solving this requires better systems, as well as better regulation

Securing the User on the Network

– Identity based cryptography– Sender ID– Domain Keys– IPv6

Identity Based Cryptography Implications

– If eBay signed all outgoing emails at server, no phishing and no masquerade

– Incoming server could examine email and identify genuine emails, inside the trusted network

– Select customers could be given authentication for customer subgroups

• e.g., Bank of America with Comcast address

– Has the potential to retain the value of the merchant-customer email channel in the face of massive phishing

– Can be implemented ad-hoc

Identity -Based Cryptography

Domain Specific Master [email protected]@[email protected]

– A Master secret key for each domain– Master secret key generates individual keys– Individual keys are distributed using trusted

network– Individual secret key has public key– Anyone can generate the public key knowing the

identity string and master secret key» identity key confirms email, domain association» domain association can confirm other attributes» 20 ms per email for sig/verify» compatible with current email via headers

Microsoft Sender ID

– Check that TCP/IP addresses are correct all along the loop

– Cannot address NAT– Cannot address botnets or subversions

of networks– Requires large-scale coordination for

rollout

Yahoo Domain Keys

– Authenticate DNS with traditional cryptography

– Authenticate emails as sent from domains– Traditional PKI structure– Problematic for political reasons, requires

coordination– In summer of 06, AOL rejected gmail

email because of domain-key based spam

Design for the Network or the Human?

• Start with human trust behaviors• Trust

– Used for simplification– Encompasses discrete technical

problems• privacy, integrity, data security

– Embeds discrete policy problems• business behavior, customer service, quality

of goods, privacy

Usability on the Surface

• Does What we Built Work?– Toolbars, do people pay attention?– Signed Email, tor

• can you install it• can you use it• can you detect it?

– Seals• A triumph of style over substance

– SSL • what is that funny lock and what does it mean?• economics is NOT the same as business

Dominant Trust Communication

Beyond Interface Deep

• Security people may want– surveillance as prevention– information more than privacy provision

• Not built for the way people act– would that be a 7.2 privacy preference?– do you trust more or les than 17%– we’ll helpfully stop you from lying in any circumstance

• With appropriate risk communication, signaling, etc– examination of how humans evaluate risk– computer security -- decision-making under

uncertainty

Security and Processes Business processes Organizational processes Security aligned with users and

processes to the extent that this is possible

Users subvert security when it violates privacy provides nonrepudiation for all actions

(blog, IM) prevents use of media or it is simply in the way human risk behaviours are fairly consistent

trust pictures of faces, discount risks

Trust and Context

Resource VerificationResources are often fairly easy to

identify as “good” or “bad” in physical realms

vs.

Trust and Context

Resource VerificationResources are often fairly easy to

identify as “good” or “bad” in physical realms

vs.

Trust and Context

Fewer signals in economic termsLess usable in design terms

Standing on the Toenails of Giants?

• Economics– Behavioral

• adversaries prefer to limit conflict scope• credible commitment• the advantage of closing off options• tipping• small incentives

– Rational• CENTRALIZED PLANNED ECONOMIES DON’T

WORK• distributed mechanisms, coordination at the low

level

Behavioral Economics implies Usability

– usability studies– involving designers at an earlier level– what do users understand?

• wireless & broadband– wide spread deployment by non-experts– botnets, e.g., home users, major tier 1 threat

– Usability in Depth implies economics• Interface• Interactions• Incentives

– is it rational to design for humans as if they were machines?

• Social context• Human and Organizational requirements

Net Trust Building from Theory

• Using Social Context to Build Digital Context

Beyond Trusted Third Parties

• Giving users their own histories– This is a new site you have never visited– This site has no domain name, just a IP

address• in a more meaningful manner, e.g. alert

– FDIC says this in not a bank– BBB says YUCK– Your friends haven’t visited this site

• As opposed to– Verisign has not approved this

certification

Identity Systems

• Place risk on responsible party– instant credit == instant loss– no distribution of some loses

• the police will not risk liberty to enforce your cheap business plan

• Do not allow risk-shifting to – citizens

• pay for construction, maintenance through taxation• pay for financial failures in personal lives• law enforcement implements prosecution of the

victim or perpetrator of crime• there is no cost to the creator of the risks

Educate the Individual

• Education without empowerment is useless– risk that could be decreased is instead

shifted– empower by design and regulation