"Babysteps"
A series of short papers shedding light on particular complex issues in authentication, identity and privacy.
"Babysteps" are short papers -- we promise they are only ever one page each! -- which aim to shed light on particular hot topics in e-authentication. We hope that Babysteps are thought provoking, and that they deepen our collective understanding of certain critical issues.
Comments are welcome, to swilson@lockstep.com.au.
 | Babystep 15: Introducing "Identity Plurality" | [download, 44Kb] |
| On the idea that we really exercise a portfolio of separate identities, in contrast to the orthodoxy that insists we authenticate first and authorise second, as if we all have just the one "true" identity which must be necessarily involved in every transaction. | ||
 | Babystep 14: Introduction to "Privacy Engineering" | [download, 47Kb] |
| We coined the term “privacy engineering” in order to raise consciousness that more can be done to design privacy in at every point in the development lifecycle. Some affirm that “Privacy is not a technology issue”. But it's a damaging viewpoint. By positioning privacy as being apart from technology, this statement gives licence to technologists to ignore their own role in privacy. Privacy is most certainly a technology issue, insofar as it can be influenced by IT practitioners. Privacy and IT intersect at a great many points. Technologists need to be alert to their role in minimising privacy impact. | ||
| Babystep 13: In defence of Identity silos | [download, 48Kb] |
| Many federated identity models involve a central authentication broker, intended to break down “silos” that hold individuals’ assertions. In practice these sorts of schemes have proven hard to launch. Orthodox explanations can blame organisations for being too precious about their customers, or for treating security as a competitive differentiator. But the real reason is that it turns out that the total cost of a large number of traditional simple contracts is likely less than that of a smaller number of much more complex ones. | ||
| Babystep 12: Electronic Medic Alert | [download, 40Kb] |
| This paper builds on the idea in Babystep 11 of encapsulating data to prove their pedigree, to show in some detail how medical information could be managed in ways that very closely reflect the trusted Medic Alert process. | ||
| Babystep 11: Electronic pedigree | [download, 100Kb] |
| To restore trust in personal identifiers, we need to know their pedigree. We need to know when a number is presented that it is genuine, that it originated from a trusted authority, it's been stored safely in the meanwhile, and it has been presented with the owner's consent. There are ways of issuing personal data to a smartcard that prevent those data from being claimed by anyone else, copied from one card to another, or simply made up. | ||
| Babystep 10: What's so smart about smartcards? | [download, 48Kb] |
| Smartcards are microcomputers embedded in plastic. Unlike any magnetic stripe card, a smartcard can tell what’s going on around it. So it can act as an intelligent 'proxy' for its owners, to protect them against a range of attacks. This ability -- unheralded by many -- can make smartcards strongly privacy enhancing, in stark contrast to the anxieties they commonly provoke. | ||
| Babystep 09: Authentication Family Tree | [download, 47Kb] |
| To help make sense of the bewildering array of authenticators on the market today, Lockstep has developed a new authentication family tree. | ||
| Babystep 08: A critical look at Bridge CAs | [download, 59Kb] |
| This paper looks critically at the Bridge CA model. BCAs might not be ideal in non-government environments, because they aim at establishing the equivalence of certificates. Cross recognition and Trust Lists, to convey fitness-for-purpose is a better model in most e-business. | ||
| Babystep 07: Smartcards and Prescription Shopping | [download, 69Kb] |
| Further to Babystep 6, smartcards can also address Prescription Shopping, showing how smartcards can detect this problem at source, without having to transmit and centralise sensitive patient information for every single clinical encounter. | ||
| Babystep 06 Smartcards and Provider Fraud | [download, 80Kb] |
| Smartcards can directly address fraudulent claiming by corrupt providers for services not actually delivered, or the counterfeiting of claims by administrative clerical staff. An un-forgeable, indelible virtual stamp created using an embedded key specific to the patient card and attached to event summaries would preclude bogus or replica claims. | ||
| Babystep 05: PKI interoperability | [download, 63Kb] |
| Is there a topic in PKI more important and yet more confusing than 'interoperability'? The notion is so 'axiomatic' that many pivotal papers omit to define interoperability, or to spell out its precise objectives. But it really isn't complicated. The best place to start thinking about interoperability is to unpack how digital certificates can help with the act of authentication. | ||
| Babystep 04: Exposing some PKI myths | [download, 49Kb] |
| The reality is that no other security technology provides long term transaction authentication. There are plenty of access control alternatives, but the AGAF for instance allows only PKI digital signatures for document authentication. And NIST says that the 'only practical solution [to Man in the Middle attack and web fraud] today uses PKI'. | ||
| Babystep 03: Biometrics under the microscope | [download, 46Kb] |
| Biometrics seem so simple and intuitive that the question sometimes arises: couldn't we just replace all our current authentication gadgets with a fingerprint reader or face scanner? The answer is emphatically not, for reasons that become apparent when we take a closer look at biometric technologies. | ||
| Babystep 02: A fresh look at smartcards | [download, 51Kb] |
| A fresh alternative view recognises that smartcards bring a unique bundle of capabilities to protect and empower consumers [including] proving the true identity of online services, to combat phishing, pharming and web fraud, ... and encrypting not just one but multiple, diverse identifiers, to quarantine backend systems. Smartcards can therefore radically enhance privacy and security at the same time. | ||
| Babystep 01: PKI in health & welfare | [download, 43Kb] |
| While PKI has had its difficulties (as have many new information technologies) its unique ability to secure paperless transactions is now widely acknowledged, especially in the complex, high risk, long lived and multi-party applications characteristic of the health & welfare sector. | ||