The many-sided story of Dr. Faust has in Johann Wolfgang von Goethe one of its several writers, and certainly the most influential . In the story, Dr. Faust wants to gather all and everything he desired, essentially looking for what we would call security today -- and the deal with Mephistopheles gave him access to that, but at the cost of Faust's soul. Now, given that experience, I recall Dr. Faust to give us warnings and hints on how to solve Internet security problems without giving out our souls to the Devil (please, insert your favorite Devils here: _____ from the list of TTPs, key-escrow, CAs, notaries, Big Brother, data mining, data warehouses, spam, useless costs, renewal costs, hackers, virus, fraudsters, "innovative" products, etc.).
This message also summarizes some discussions on this general theme that I had in e-carm, cert-talk, mcg-talk, sci.crypt, dig-sig, ssl-talk, spki and other lists. The commentators were too many to cite and thank nominally but the cited lists' archives are avaliable for context and references, if needed. The text here is my own, except as noted.
Certification contains a paradox between privacy and security . Basically, if personal or commercial data are denied on privacy reasons then the other party cannot ascertain the correctness and the effectiveness of transaction data. Third-party certification systems such as PKIX/X.509/CA makes the paradox stronger, by introducing a third element in a binary dialogue.
Of course, we need security now. But, also of course, we need to protect privacy, because privacy once lost -- is lost for life. This is usually forgotten not only by CAs that demand your SSN or any other private data that has nothing to do with a cryptographic certificate, but also by proponents of "innovative" biometric products. They all want to offer you a bargain trade: security now versus your own self forever.
But, as we can read in Dr. Faust, "security now versus your soul forever" is not a very good deal ;-)
Beginning with the issue of biometrics, since biometric data cannot be revoked in case of theft/loss and cannot be recalled if the proverbial truck hits the keyholder, one must be very careful with "innovative" biometric products which try to sell biometrics as a "self-secure" private key. One should restrict biometrics much more than usually conceded by vendors, in order not to repeat Dr. Faust's choice. In a recent exchange with Nicholas Bohm, he also agreed that biometrics can indeed be useful:
The protection of privacy is thus a MUST, where I make the distinction between "protection" and "security" . Mainly:
Thus, it is interesting to consider how much one can decrease the amount of private data one needs -- for e-commerce or commerce in general -- or, that one must give away. Clearly, the less private data you need to carry with you or give away, the safer you are.
This has been discussed at length here, including the usual misconception that credit-cards do not need user identification when used in commerce or e-commerce deals. As summarized in :
However, how much anonymous can one become and still be able to participate in e-commerce, or simply in information exchange?
The answer to this question may span a large technical and political spectrum. However, let me approach it in the general sense -- which undoubtably will make the analysis partial to special cases, but I am following the 80/20 rule (80% of all cases are attained by 20% of the conditionals), which is also general ;-)
Of course, if I don't reveal who I am to *anyone*, then there is no way that *anyone* can know that I really am who I claim to be. I am then incomunicado from your side and my acts can only be verified by myself -- not a general option for commerce.
When I affirm in first place that "If I don't reveal who I am to *anyone*", exactly as it is written, then (to put it in another way) no one can track me. This is the essence of anonymity. You are incomunicado from the side of anyone that wants to contact you -- which is also the essence of anonymity's need. However that does not mean you may not have an identity! You can sure have it but that is just a "local name". A "local name" is only meaningful to you but can be used for example in Usenet discussions or even in this mailing list.
For example, if you go to hotmail.com and register yourself as "Rene Descartes" <email@example.com> then you can send your "cartesian" messages as much as you want, people will answer you but they can never reach you persoanlly unless hotmail.com cooperates.
You may even be a computer simulation and people would not know, if it is done well enough. You may be a pool of writers, taking turns at answers. You may be a group, answering messages by joint decisions. And yet, I could never track you nor any of your group if it is done well enough (eg, anonymized mailers).
What I affirmed in second place is that commerce, however, needs to track you down in order to be fair and useful.
Thus, we see the dialectic tension in Faust's Internet dilemma! You need to protect your privacy, because privacy once lost is lost for life. But, you also need your security -- as well as the vendor needs his. This is the "security now versus your soul forever" dilemma. As we can read in Dr. Faust's story, we know what we must not do. The question however is how to trick the Devil to let you do what you want -- without giving your soul in return.
In other words, you have to reconcile the FACT that preserving your identity with various degrees of anonymity is a MUST for you -- notwithstanding the FACT that commerce can do little with it in order to provide you with what you want.
A further need for commerce is non-repudiation -- that your legal acts are traceable and perfectly formed, thus allowing them to be enforced if needed either by you or by the other party. This is the reversal affirmation of acts purportedly done under an identity, where you see the result of persona --> (identity, authorization) and you want to reverse it to define which persona is paired to the (identity, authorization) that you have. This leads into three forms of non-repudiation, in its syntatic (is the signature yours?), semantic (did you understand what you were signing?) and trust (did you yourself willfully sign it?) forms. Of course, one cannot even begin to answer these three questions unless one can reach the persona -- ie, in its privacy -- where one also needs to define the persona's legal capacity at the time of signing and the way it had to be legally expressed (eg, minors).
But, not all our acts are just buying and selling large amounts, or include a need for non-repudation, especially in the information and easy-travel age.
One possibility discussed last year (in this thread, mainly at the mcg-talk) was also the interplay between accountability, reputation and a lesser form of identification that could be possible if one relies on reputation to enforce accountability. One of the earliest references of that possibility was by Moscaritolo and Hettinga , it has also been recently discussed by Brendan MacMillan .
However, reputation also has its limits, as when the other side has lots of power (eg, Nero, Gengis-Khan, Hitler, monopolist companies, military-force countries, nuclear weapons, etc.) or nothing or few to lose (eg, crooks, fraudsters, rebels, terrorists, miscreants in general).
As commented by Nicholas Bohm within a mcg-talk discussion that also involved 32946 (an anonymous participant in mcg-talk, and by itself a further example of the privacy concerns we are discussing) last year, in some cases "reputation is too frail a vessel to carry the load" :
We have to remember also that a hacker's "reputation" is to hack well, a fraudster's "reputation" is to fraud well -- so that when we say "reputation" different people understand *different* things! Different people brag in different ways...and have different standards as to what a "good reputation" is.
Of course, reputation and performance have a link -- they are joined in feedback -- but that also did not stop Volkswagen AG when they decided they could get some good money by tapping into General Motor's Co. secrets, for which they paid US$ 1.1 billion in fines last year. The worse was that it was worth it, as one of their directors publicly declared some months before the settlement, when Volkswagen admitted they had already profited more that US $ 500 million with the situation.
I think all the above indicates that one must consider a feedback inhibition effect when one wants to rely on reputation to influence fair performance and accountability: as the commercial power of a company increases (eg, by monopoly, oligopoly, raw resources availability, patents, money, tradition, import protection, partnerships, government support, etc.) then the company becomes LESS susceptible to its reputation!
This completely negates the indiscriminate use of reputation mechanisms that do not depend on some form of stronger identification or at least asset authentication in e-commerce, even for product values as low as one pays for a copy of Windows 95. So, this deleterious effect does not depend on product price either. As recent e-mail scams have shown, precisely the "US$ 50.00 credibility limit" is targeted by the miscreants that deny stronger authentication or identification -- which pays off well quickly in large volumes, of course.
However, as Brendan MacMillan says in a recent posting in e-carm:
But legal recourse is not necessary for commerce; pre-legal commerce has worked; and even "ex-legal": the mafia and the black market. Mechanisms other than legal systems can support commerce. Yes, there are problems of unequal power, but this does not make it unworkable. Yes, reputation does not encourage my performance if I have no reputation to lose - but this is true of all recourse ("future vulnerability" is an essential element of recourse).
We begin by seeking the lowest possible levels of identification (ie, by making one's "name" as local and equivocal as possible) that can be provided under present-day certification methods.
With PKIX/X.509 or PGP, certificates can be either self-signed or signed by a Trusted-Third-Party (TTP or CA). However:
To summarize, the strategy to solve Dr. Faust's Internet dilemma is to force the Devil to remain incomunicado as much as possible -- by denying one's private information to Mephistopheles, and resisting the lure to supply one's own self in exchange for "security" now. As shown, this denial attitude can be applied only to a limited extent when using extrinsic certification methods such as PKIX/X.509 and PGP that depend on tertiary security, but should be much more effective with intrinsic certification methods such as being developed for the MCS, that depend on binary security.
As a final thought, we need to realize that the Internet provides raw power, in Einar Stefferud's words . It works as an amplifier which can provide more of anything that is fed into it: results and self-discipline, problems and inefficiency, waste of time, order, chaos, hackers, frauds, etc. In other words, the Internet presents us with an ever changing phantasmagoria -- and we realize that the Internet is also a Devil, the Net-Mephistopheles! Thus, Dr. Faust needs also to deal with the Net-Mephistopheles in order to obtain and defend his Net security. What strategy should he follow? The same strategy that was devised above -- he cannot leave his *network's* private data wide open nor equally available to all. Current firewalls and intrusion detection agents begin to offer that -- with IP address translation, operation profiles, etc.
Bets and comments on Dr. Faust's fate are welcome ;-)
 Goethe also named and pioneered the science of Morphology, which predates by 200 years the observations of Maturana and Varela that the observer is an active part of a measurement process -- called today second-order cybernetics; a concept also used in the definitions of Subjective Logic and MCs as discussed in mcg-talk. Goethe's further observations how "self knowledge" defines the acquisition of "world knowledge" contain some elements also present in Trust Theory  and being used in MC development.
 "Privacy versus Security: Trust is the bridge", E. Gerck, http://mcwg.org/mcg-mirror/slides.htm
 http:// www.cs.monash.edu.au/~bren/thesis.html
 http://mcwg.org/mcg-mirror/certover.pdf or http://mcwg.org/mcg-mirror/cert.htm
 "What is the Internet Paradigm?", Einar Stefferud, http://mcwg.org/mcg-mirror/slides.htm