[security] security

[James A. Donald]

James A. Donald wrote:
> > Presumably we want to assign a reputation both on the
> > basis of the individual and of the identity provider, so
> > not "completely independent".

Dan Lyke wrote:
> I may indeed use a regex as part of my reputation management code, but  
> I want the underlying technologies to support complete independence.

If you want that, you want code that does not work.

Layering is ordinarily a good way to reduce large problems to smaller 
ones, but in security matters, this approach generally fails - for 
example the wifi disaster was in large part a result of layering, where 
one layer undid the the subtle security assumptions of another layer.

Attempts to arbitrarily divide security problems into smaller problems 
fail.  Splitting up security problems into smaller problems is a hard 
task that people regularly get wrong.  You cannot just do it by decree, 
by saying "Oh we will solve this problem first, and that other problem 
later".  That other problem is *not* another problem.

> In fact, my utopia involves a world where every individual is their  
> own identity provider. 

I agree, but each person cannot be his own reputation provider.

To illustrate the problem:  We would like to distribute in the 
"reputation layer" identity layer information such as:  "bankamerica.com 
identities should always be resolved as https, and their identity 
provider should also be bankamerica.com"  and, if you want jim.com to be 
jim.com's identity provider, as I also want, then we need to distribute 
in the reputation layer identity layer information such as "the public 
key for jim.com is 0xA85F....  no matter what PKI and DNSSEC says"

In order to achieve your goal, (and mine) without emailadvertising.com 
being their own reputation provider, as well as their own identity 
provider, we do need to integrate reputation and identity.