[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi] Question regarding encryption
John Bradley wrote on 2009-12-07: > Unfortunately it is not something that is easily visible to the user. That's why I said "if the user understood the risk". Since they seemingly aren't given the tools to do so (and since it's probably too technical for users anyway), the responsibility lies with deployers and spec authors. > If you are only looking for PPID, and you believe that issuers properly > create PPID for managed cards then you could use that as a pseudo audience > restriction. That could be acceptable in some circumstances. I don't see how, but I'm not that familiar with PPID, and I don't think use of Infocard should imply it. There are other formats for such an identifier that predate the Infocard work, and I think it's a bit dangerous to conflate identifiers with proofing or condition mechanisms. > Some privacy people push the non-auditing tokens, without understanding > all of the problems associated with them. They have a place but should > not be the default. (For what my opinion is worth) They could have a place if the spec and software wasn't broken. It's really that simple. The trade-off is much too dangerous in the vast majority of cases, and the more people sidestep that issue, the more misinformation will be spread. There's nothing wrong with the concept. It's very useful and should be the default, IMHO, so it needs to be fixed. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]