Drew Wagar's Weblog.
All
|
Astronomy
|
Automotive
|
Identity
|
Industry
|
Miscellaneous
|
Technology
|
Whinge of the week
Tuesday October 11, 2005 |
|
Sxip Identity 2.0 Preso
Far be it from me to promote another company here in my blog ;-), but Sxip Identity's Dick Hardt has made a fantastic preso which bears distribution as a standalone 'Where next for Identity'. Essential viewing, and fun. My favourite line is "And usernames and passwords are really cool! They prove you are.... ...an entry in a directory!" Class. :-) Click here. ( Oct 12 2005, 12:33:37 PM BST / Oct 11 2005, 05:37:44 PM BST ) Permalink Comments [0] Trackback: http://blogs.sun.com/Drew/entry/sxip_identity_2_0_preso
ID Cards and the NIR Part 2 - Basic Architectures
Basic Architectures. Assuming for the time being that we have an ID Card and a Register, what architectures might we consider? Let's take the card itself first. Consider what would need to happen to Identify somebody holding a card. There are four basic alternatives... 1. The card is very simple, containing very little information other than a unique number which acts as a key on the register. All the biometric, data, and personal information would be held on the register. Pros : Cards very cheap, need not be 'smart'. 'Easy' to perform the audit. Cons : Everything depends on the network, including the validation of the card and identity check. 2. The card is very complex, containing most or all of the information required, and can provide a local validation capability without resorting to the register. No connection to the register other than at registration time. Pros : No need for continuous network, cost of running the register much lower Cons : No audit capability, no fall back if card verification fails 3. The card contains the validation and identity checking capability, but not the personal information. Personal information is held on the register. Pros : Offline validation and identity checking, some auditing capability for access to data Cons : Incomplete auditing (can't audit card validation) 4. The card contains all the information. It is a copy of a citizens profile on the register. Pros : Full Audit, Fall back in case of network failure Cons : Expensive cards, synchronisation issues between card data and register Now lets look at the Register. How could that work? Once again there are four basic alternatives. 1. The register is a single large store containing all the required information in one place. Pros : Simple to administer, easy auditing, conceptually simple Cons : Severe security issues, severe reliability issues, no privacy controls 2. The register is a distributed database similiar to above, yet with many 'copies' of the register information held in different locations. Pros : As above, though slightly less so. Better reliability than above Cons : Same security isses (possibly worse with multiple targets), no privacy controls, data synchronisation problems 3. The register is a distributed database where different distributions hold separate sections of the data profile (Eg. address in one system, entitlements in another) linked by a master index pointing to the sections. Pros : More secure (multiple attacks required to assemble a complete profile), some privacy controls could be provided Cons : Tricky to audit (though not impossible), overall system at the mercy of multiple network links 4. The register is a federation of interconnected autonomous stores Pros : Privacy enabled by design, High degree of security as individual stores would be autonomous, decentralised identity checking (no single point of attack) Cons : No comprehensive audit possible as the stores are not directly connected, though individual stores will be auditable by their owners. Federation is a bit of a tricky concept and so I'll explain that in a future article. Now I've introduced the basics, the next article will explain why some of these architectures will have to fall by the wayside when we start to consider the scale of the NIR and ID Card system... ( Oct 11 2005, 03:44:39 PM BST / Oct 11 2005, 01:35:55 PM BST ) Permalink Comments [0] Trackback: http://blogs.sun.com/Drew/entry/id_cards_and_the_nir1 |
|
|
Yep, me.
| « October 2005 » | ||||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
1 | 2 | |||||
3 | 4 | 5 | 6 | 7 | 8 | 9 |
14 | 15 | 16 | ||||
17 | 18 | 21 | 22 | 23 | ||
24 | 25 | 26 | 27 | 28 | 29 | 30 |
31 | ||||||
| Today | ||||||
 moon phases |
- Get my RSS Feed!- Off to pastures new!
- Stupidest piece of tat with football branding on...?
- Football
- Karate update...
- Nerina Pallot's new album
- When I rule the world...
- Last bit from Infosec 2006
- Report from Infosec 2006
- Infosec 2006
- Karate!
- Proud Dad thing...
- Office Shenanigans...
- So it's a voluntary ID Card then...
- Found my car on Google Earth!
- Narnia : Coming back through the Wardrobe...
- Out of the way, I'm coming through!
- Signs of the times...
- Thin clients in the news again..
- My family is on its way to Pluto...
- Incoming space debris...
- Computer game generation gap...
- Snow!
- Happy new Year!
- Are you feeling secure now?
- Why can't the US make decent film adaptions?
- Yep, did it!
- Will I get to meet Jonathan Schwartz then?
- Register fails to register...
- Free software : Our new big bet...
- Aloha!
- Er... Hello World!?
- Swearing at the Radio... Nuclear Power
- Entire-ID : Launching today!
- Reality meets the blogosphere
- Conference Season!
- Driving a steam train...
- ID Cards again
- I've no idea whether anyone will find this remotely interesting...
- Hey, cool! And, thanks!
- Full steam ahead!
Today's Page Hits: 39