Uh Oh - Big Brother

[SARGE]

My conspiracy theories keep coming to fruition. I knew it, I knew it...


http://seattletimes.nwsource.com/htm...assport18.html

[Kubie]

Sarge,

One way or another, the government will get through to monitor our every coming and going.

Carl

[Paul Victorey]

Any system designed to verify identity at government sites would need to be bug-free and very secure. Microsoft is doomed.

I mean, if I were designing a system to identify someone uniquely, I'd do somthing like authenticate by digitally signing messages using some system like PGP. Building this functionality into browsers wouldn't be hard.

Passport authenticates via BROWSER COOKIES. Cookies are OK and all, but they're hardly anything I'd trust critical information to. Cookies can be stolen; in a digitially signed messages case, the private key would never be sent or available in any form to the internet. The whole idea (or, one of the ideas) of dual key cryptography is that you can verify that a person possesses a key without ever sending the key.

MY idea for an identification would be as follows:

* The user's private key would be stored on disk, and would be password protected (encrypted).
* When the user needed to use the key, he/she would input the password, which would be transformed into its own key via a hash algorithm like SHA-1 or its stronger cousins.
* This hashed password would be used to decrypt the private key off the disk. This would be used to sign messages.
* Any service could verify ID using the public key.

This means that attackers cannot spoof identity by intercepting messages, by extracting browser data, or EVEN by stealing the private key from the hard disk, because without the hashed password, it's useless.