Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Identity research presentations at Hotsec: Horton, user-based attestation and opportunistic personas (20070823)
One of the presentations at the recent 2nd USENIX workshop on Hot topics in security (Hotsec 2007) was on Horton. Horton is a part of an object capability system and provides identity-based tracking and control for delegating responsibility with authority
(from the paper).
In the presentation "Delegating Responsibility in Digital Systems: Horton's "Who Done It?"", Mark S. Miller (Google Research), Jed Donnelley (LBNL/NERSC) and Alan H. Karp (HP Labs) discuss scenarios in which pairs of identity tunnels
(e.g., Alice - Bob and Alice - Carol), can be used to build a new tunnel (Alice introduces Carol to Bob, so that Bob - Carol). Carol might however believe that Bob is merely a pseudonym for Alice, and additional parties are used to disaggregate Bob and Alice (Dave has tunnels to Carol and to Bob, and from this Carol joins the "Bob" identity she heard from Alice with the "Bob" identity she heard from Dave).
The paper "Turtles all the way down: research challenges in user-based attestation" by Jonathan M. McCune, Adrian Perrig, and Arvind Seshadri (CMU/CyLaB) and Leendert van Doorn (AMD) highlights a problem with the TCG remote attestation model. A client system connects to a server system somewhere on the Internet. The server can determine that the client is out of conformance (e.g., wrong software, malware present), but does not have a way of informing the client's user of this situation, since any such malware on the client could ignore the warning message from the server and display a "all OK, type in your password" message to fool the user. The authors propose a hypothetical "iTurtle" device, such as USB fob, which the user plugs in to each of their client systems. The iTurtle verifies the client system's configuration, displays the status of that system's verification to the user (e.g., a red LED lights for "bad"), and possibly could act as a boot disk to restore an infected client system to a known good state.)
In "The Strengths of Weaker Identities: Opportunistic Personas", Mark Allman, Christian Kreibich, Vern Paxson, Robin Sommer, and Nicholas Weaver (ICSI) state that it is sometimes unnecessary (or inconvenient) to perform the ceremonies necessary for a 'full' establishment of a party's identity and trusted keys prior to communication with that party. They use the term opportunistic persona
for situations in which the cryptographic keys are generated opportunistically and do not provide what is traditionally considered a "strong" form of identity. They write
In addition to the opportunistic generation of personas, we also argue for the idea that user actions can often be interpreted as an implicit proxy for management of personas. Users tend to respond differently to legitimate versus unwanted activity. By observing user reactions, we can then in some cases infer the user's trust in particular personas. For example, user reactions could drive the construction of white- and black-lists... Certainly, in terms of achieving secure and sound systems, learning personas in an informal fashion is in principle not as desirable as manually exchanging and validating keys. However, in a number of contexts such validation has proven impractical: it is either beyond the ability of most users, or at least beyond their 'pain threshold' for the perceived benefits . Thus, we believe application and protocol developers will benefit if they broaden their thinking to consider weaker forms of identity may actually provide stronger practical security.
If a user's interpersonal software (e.g., email, conferencing) dynamically generates a key for signing outgoing messages to other users, over time, a user might promote these opportunistic personas of other users with whom they frequently communicate into the 'actual' identity of that user.