Copyright © 1997 by
N. Bohm and MCG, published in April 22, 1997 by the MCG
All rights reserved, free copying and citation allowed with source and author reference.
1 As an initial contribution to the discussion, this paper suggests that it is a mistake to treat the need for authentication as axiomatic. It should be acknowledged that the need varies with the circumstances.
2 This paper also suggests that even where there is a need for authentication, the degree of authentication required will vary with the circumstances and need. The highest available degree of authentication should be regarded as one which leaves the parties concerned with no doubts. Where the public at large is in effect one of the parties concerned, the law may establish the degree of authentication required. It will always be open to the parties concerned to accept some lesser degree of authentication.
When is authentication required?
3 In the great majority of private transactions neither party requires knowledge of the other's identity. The obvious example is a cash transaction in a shop.
4 The problem begins to arise where the parties are distant, as in mail order transactions. (This is not of course a phenomenon of the electronic age: mail order has existed in England since at least the 18th century, and it no doubt expanded greatly in the mid-19th century with the introduction of cheap postal services and wider newspaper advertising.) Either the merchant must trust the unknown customer to pay after receipt of the goods, or the customer must pay in advance and trust the merchant to deliver. Much trade of this kind was done on trust, and still is. Where the risks are too high, one party or the other will try to assess the trustworthiness (and incidentally the authenticity of the identity) of the other by taking up references from third parties known to both, such as bankers or other merchants.
5 Note that in these circumstances it is not the identity of the other party that is the matter of primary concern, but the trustworthiness, although often the trustworthiness could not be ascertained without ascertaining the identity first.
6 The problem of trading between distant parties has been addressed by the banking system, originally by the use of bills of exchange and letters of credit (primarily for use between traders rather than by consumers), and in recent times (but well before the Internet era) by the credit card system. It is the credit card system that has brought about the greatest expansion in remote transactions between previously unknown parties.
7 The credit card system works because the banks control access to the system by card- holding consumers and card-accepting merchants, and use that control to assess the risks to the banks of admitting particular persons. The banks then assure the merchants of payment (taking on themselves risks of card-holder insolvency) and (at least in the UK) assure the card-holder of the reliability of the merchant by incurring a measure of statutory responsibility to the card-holder for the defaults of the merchant.
8 Provided that the merchant follows the system's rules in accepting an order by remote means (which entails obtaining full card details, no doubt checking that the card has not been reported lost or stolen, and ensuring that goods or services are supplied only to the address recorded as that of the card-holder), the merchant can be indifferent to the identity of the customer. Likewise the customer can be sure that if the banks have admitted a merchant to the system (without which the merchant cannot obtain payment or the customer be charged with that payment), they have checked the existence and status of the merchant and have accepted the statutory responsibility falling on them for the defaults of the merchant.
9 Although the banks suffer a considerable loss through fraud relating to the card system, it remains profitable for them despite its deficiencies. As the volume of remote trading by electronic mail grows, the banks may take advantage of the increased opportunity for card authentication. They could enable and require their merchants and customers to generate key-pairs and to provide the bank with the public keys so as to maintain a database available to customers and merchants. It would be up to the banks to specify the evidence they required in order to admit a customer or a merchant to the system, just as it is now. Some frauds would be unaffected (such as obtaining and using a card without having the means to pay); others would become much more difficult (such as impersonating a card-holder on the basis of the details found in a discarded transaction record).
10 Such a system could utilise customers' and merchants' existing keys where they had them. But since there is no universal standard, it seems more likely that the banks would establish their own system under their own management, and the card-holders' and merchants' keys might well be usable only within the system. There seems no reason in principle why key-holders should not use the same keys for general authentication or encryption purposes, particularly if the banks' database of public keys were accessible to the public. But it should be noted that such a system would do no more than associate a public key with a card or merchant (and perhaps the name and address of the holder or merchant as known to the bank). There would be no more verification of the content of the database than is required to verify the identity of an individual opening a bank account, which is not very great.
11 The preceding paragraphs have dealt at length with payment, because payment is the main concern in transactions between previously unidentified parties. It is probable that as regards payment, the banks will continue to take the risks, and will develop whatever systems seem to them cost-effective to reduce those risks. The Internet Community does not need to do more than encourage the adoption of reliable, open, interoperable standards by the banks.
12 Where else do previously unknown parties need assurance of one anothers' identities? This may well occur less often than might be supposed.
13 A number of examples may be considered. X does not wish his bank to release confidential information about him to strangers pretending to be X: but the bank and X are not previously unknown, and it is indeed out of their prior relationship that the existence of the confidential information arises. X has ample opportunity to ensure that the bank knows his public key: for example X can hand it personally to a manager who knows him through a history of personal dealings. Y may wish to consult a famous physician although they have never met. It is unlikely that this can be satisfactorily achieved without a visit to the physician's consulting rooms, perhaps after some introduction. It is possible that the physician's presence in the telephone directory and medical register are part of an elaborate fraud, including bogus consulting rooms, but in practical terms this is unlikely. If during a visit Y obtains his public key from him personally, and hands him his own, then each can thereafter be sure that future dealings are between the same two individuals.
14 Perhaps more plausible cases of previously unknown parties needing assurance of one anothers' identities can arise where a seller claims to be the owner of property whose title is registered. Examples are registered titles to land or corporate securities.
15 It is surprising that in the UK at least, neither the Land Registry nor a corporation in which a person holds stock will necessarily have any prior knowledge of his signature, despite the fact that it is his signature on a form of transfer that is necessary to transfer his title to a buyer. This suggests that remarkably low levels of authentication are quite sufficient to enable substantial transactions to proceed on a large scale without significant practical risk. Nevertheless there might come to be significant benefit from attaching a public key to a land or corporate stock title at the time of acquisition, so that the buyer could later use the corresponding private key to authenticate a subsequent dealing. At the time of original purchase, all that the land registry or corporation would be concerned to ensure was that the buyer and the public key were associated: there is no reason why either should go further and seek to verify that the buyer really is known by the name or resides at the address given for registration purposes.
16 To summarise this part of the argument: it is much less common than is supposed by current conventional wisdom for previously unknown correspondents to need a high level of certainty about the true identity of the person with whom they are corresponding.
What is the reliability of authentication?
17 The following account is summarised from a report appearing on 15th April 1997 in The Daily Telegraph, a UK quality newspaper.
18 In 1964 Alan Reeve, then aged 15, murdered a friend of the same age. He was detained in Broadmoor, a maximum security hospital. At the age of 19 he murdered another Broadmoor inmate (also a convicted murderer). During his time in Broadmoor he obtained a University degree in sociology by correspondence and became a Maoist. In 1981, aged 32, Reeve escaped from Broadmoor and lived for a year in the Netherlands, where he killed one policeman and injured another during an attempt to rob a liquor store. He was sentenced to 15 years' imprisonment. During his time in prison he qualified as a lawyer. He was released on parole in 1992 after 10 years. The British Government applied for his extradition from the Netherlands, but he escaped to Ireland while on bail. In 1995 he became engaged to an Irishwoman in Cork, where he had lived and worked since May 1995 as a typesetter and editor with the Cork Women's Poetry Circle. In April 1997 he was arrested at the request of the British Government with a view to his extradition to the UK. Neither his Irish fiancée nor his workmates or other acquaintances were apparently aware of any part of his earlier history. He had claimed to have been a journalist and author and to have done voluntary work in Africa.
19 The report does not indicate whether Mr. Reeve had obtained an Irish or Dutch passport, driving licence or other identity papers, though it is certainly possible and seems probable from the circumstances. He could almost certainly have obtained an authentication of his "Irish" identity which would have proved entirely satisfactory to any key-certifying authority, but would not have identified him as a murderer escaped from a secure mental hospital. The newspapers's headline dramatically illustrates the contrasts:
"'Friendly, caring, dependable and loving' - How this woman described triple killer she shared her life with."
20 This account provides a graphic illustration of the problem of identity as it might confront a certifying authority. Terrorists and "commercial" criminals could almost certainly deceive such an authority with relative ease unless the standards of identification were set so high that many ordinary members of the public could not satisfy them. However high the standards were set, governments could almost always circumvent them for purposes of espionage or even in the ordinary course of operating such schemes as witness protection programmes.
21 Every individual has a number of unique characteristics, such as DNA profile and fingerprints. If these were routinely identified at birth and recorded in a machine-searchable database, it might be possible to provide a reliable permanent connection between an individual and an identifier which could be used for authentication. Such a scheme is unlikely to be feasible in practice, particularly on a worldwide basis, and would in any event depend on government involvement which would render it objectionable to many and untrustworthy in some circumstances.
22 It should also be borne in mind that in a number of countries, of which the UK is one, an individual is free to adopt any name he chooses, and to do so without any formality prescribed by law. In these circumstances there can be no difference between an individual's "true" or "real" name and the name by which he happens to be known to those with whom he deals in the ordinary course of life. This is not a concept which can easily be accommodated by rigid notions of authenticating the identity of an individual.
23 To summarise this argument, the reliability of authentication is a matter of degree; high levels are very difficult to achieve on a basis that would be open to large numbers of people; and even high levels of authentication remain exposed to a number of dangerous attacks.
24 The importance and value of authentication may be less than they sometimes appear. If authenticators are required to take a serious burden of responsibility for the authentications they provide, they will try to set high standards and will charge high fees for their services. If it is seen to be difficult and expensive to obtain authentication, and not of correspondingly high value, there will be no market for it.
25 If governments institute legislative schemes (as proposed by the UK Government) where authenticators require a licence, and where licences are granted only on condition that authenticators retain both public and private keys in order to ensure that private keys are available to the authorities, the dangers of improper use of private keys are added to the other drawbacks of official authentication schemes.
26 A different situation may arise if the burden of authentication falls on the user and not on the provider. In that case the party who bears the risk or the expenses can judge - as a matter of risk analysis - where to find the break even point between risk and cost.
27 A number of issues raised in this paper can be illustrated by referring again to the first example of the paper, a cash transaction in a shop. If the shop owner does not want to know the identity of the customer, then at least he must authenticate the cash used ("No, sir, it's ten pounds and not five pounds you have to pay"). He may use a visual authentication of value and banknote, or he could use a UV light, a metal-strip detector, etc., to authenticate the bill. Sometimes the state imposes a burden of authentication on the private parties to a transaction, as in the case of sales of alcohol, tobacco or firearms. In such cases the seller may also need to authenticate some attribute of the customer. This may be his age ("No, sir, this liquor may not be sold to minors") or indeed his identity ("No sir, I must record the name, address and social security number of all purchasers of firearms"). It is all a question of his acceptable risk versus his incurred cost, since he is the party at risk (not the customer).
22nd April 1997
This paper has had the benefit of several helpful suggestions from Dr. E. Gerck in the form of comments on an earlier draft. The errors that remain are those of the author.
Nicholas Bohm MA (Cantab), Solicitor of the Supreme Court of Judicature in England and Wales, participant of the MCG
MCG - The Meta-Certificate Group, is an international non-profit open group. The MCG is a fresh exploration of applied cryptography to solve real-world Internet security issues of today, for both individuals, corporations and governments, as represented by the current certificate questions. The MCG Home-Page is at http://mcwg/mcg.htm