OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SV: Copyrighting schemas, Hailstorm

Comments inlined.

Main argument: identification asserts identity, contrary to the claim that
identity does not exist. Therefore, he who controls assertion of identity
(or validation of identity claims), has leverage on identity itself.


-----Ursprungligt meddelande-----
Från: Bullard, Claude L (Len) [mailto:clbullar@ingr.com]
Skickat: den 1 juni 2001 20:12
Till: Dimitris Dimitriadis
Kopia: XML DEV
Ämne: RE: Copyrighting schemas, Hailstorm

The difficulty is authentication and what one can reason 
as to facts based on it.   There is no such thing as 
identity:  there is only identification.

[dd] As indicated above, I think this claim is quite bold. Thinking that
identification is the only real thing and identity does not exist forces you
to adopt an ontology I think most people would refrain from. If, on the
other hand, you mean that identification is the link between who-, or
whatever, acts as one part in some kind of activity or exchange, and the
other part, then I see your point. Still, then, we should concentrate on
what makes identification what it is, how it is relevant to such things as
integrity, assertions, and the like, and not discard the concept of identity
all together.

The central dilemma is identification.  My identity is 
NOT clbullar@ingr.com or cbullard@hiwaay.net.  These are two 
strings that enable a system to locate machines to which 
I have access and put something in part of memory of those 
machines.  I cannot control completely:

[dd] So, then let's shift away from looking at the abstract concept of
identity and instead look on what it means for a system to keep track of
machines to which I have access, which in turn is important since
(presumably) most things I do in the future will be done via machines of
that sort (whether I use them actively or they just see to that my fridge
gets filled with my favourite foods at regular intervals).


Public safety databases (your 911 systems, police databases, etc) 
are rigorously designed to stop that sort of thing.  Why?  Because 
the enemy of your police is not your criminals.  Criminals are product. 
The enemy is lawyers.  The jurisprudence system goes to some 
pain to err on the side of the accused and if it can be shown 
in any way that a database can possibly be tampered with (remember 
OJ), the case usually goes to the defendant.  Lawyers do some 
pretty bizarre things to show "possible" and the only way the 
prosecutors can get their jobs done is to go to bizarre 
lengths to make their case "airtight".  But every venue, judge and 
jury doesn't work the same way or see this the same way.  To 
some, "quacks like a duck" is all they need to know.  Now, 
do a little global traveling in which in every venue you visit, 
pig loving donkeys get treated differently, but access to the 
fact that your email address was in the DonkeyLovesPigs data base 
is a global fact.

[dd] So, if I've followed your argument correctly, we should all
collectively give our means of identifications away to be stored somewhere
safely, so that none of us can violate the rules of identification? Some
kind of trusted third party? And this should be a company? Just in order to
make sure of everybody ending up in a peculiar situation, and not just some
of us?

So before we even get to who owns the software, we have to be very 
scrupulous about what the information can be used for, and when 
machine-reasoning has to be questioned as to interpretation.  And 
the problem here is:  We Don't Control That.  At that point, 
disconnecting looks like the safest option.  Kiss the NewNew 
Economy goodbye.

[dd] Again, this is not a software issue. I wouldn't care less if it were
done with pen and paper. And to be quite frank, the way things are going, I
think we should seriously think about unplugging. At least for a while. On
the other hand, it could be argued that we, instead of unplugging, should
Start Controlling That, instead of looking for a Trusted Third Party.

So who does control that?  Today, anybody.  As soon as you 
sent the first piece of email, or signed up for the first 
subscription, you said goodbye to the ability to control the 
use of that string if not the right.

[dd] Not exactly anybody. Subscribing me to DonkeyLovePigs is not the same
as reading my email through a web interface or bying stocks for me. 

So something like Hailstorm has to happen.  So now you have 
the next problem of administration.  If a someone can sign 
you up to DonkeysLovePigs, how can you be sure someone can't 
get your Hailstorm information and sign you up to something 
even more incriminating?  And that's a simple case.  Identity 
theft is big business.

[dd] I wasn't primarily referring to Hailstorm, but any similar
idea/framework. Besides that, i'm not sure it _has_ to happen. If your point
is that it has to happen because people will let it happen (since their
identity is protected in any series of government-controlled databases),
then it's just a new business model proposal. My main point is that we will
see dynamic effects in a magnitude that will make it very much harder to
control how we ourselves infer things, make decisions, raise our voice and
so forth. Making active people passive by thinking for them is not the same
as people being happy because they can by goods at a somewhat lower price.
The first is a paradigm shift in the principles of society, the second a
well-needed change of the way we buy stuff.

[dd] Returning to your closing sentence: of course identity theft is big
business. I just don't see why you draw parallels between the simple case
(in which one of my many "facets", that is an email adress I use, gets used
to subscribe me to obscure mailing lists) and the more complex case (in
which a whole lot of information about me is stored and manipulable and
searchable and predictable and so forth). Those are two very different
issues. And I sincerely don't think something like that exists today, at
least not commercial, not to that degree. And, hopefully, neither will it in
the near future.

My intuition is that companies who make the software for authentication 
can't own the services as well.  Imprudent.  Yet even then,
depending on how used, these services require oversight to protect the
from abuse.  That is the way public safety systems work and 
in that one, we are mainly protecting the accused....

... and everyone with a driver's license, a gun permit, a pawnshop 
ticket and so on.  That's why those systems aren't on the web.

[dd] Prudence very rarely stands in the way of big business.  And actually,
there are systems that do expose information on driver's licenses over the
web. I just questioned an insurance company's website to get a pricequote
for insuring a car I want to buy, by giving them my social security number
to which my driver's license (as well as history about if I've crashed my
car, stolen anything, been behind bars for having been drunk and driven) is

[dd] So, following your line of argument, if I wasn't the one that asked for
the quote, but it was someone else, who would the insurance be issued for,
if ordered, since identity doesn't exist? The identified party? Who in that
case would be?

[dd] In closing however, would you prefer that companies that owned the
means of identification were not allowed to own the services? Wouldn't you
be a bit alarmed that means of identification (in a more serious sense than
email and so forth) were owned to begin with? I'd happily let companies own
the services as well, if they owned those means. As if preventing them from
owning the services would make any difference.

Kindest regards (and very much looking forward to continuing the discussion)



Ekam sat.h, Vipraah bahudhaa vadanti.
Daamyata. Datta. Dayadhvam.h