The other day a few students asked me whether the most secure password actually was a passphrase consisting of at least three words. They had read this here (which is more or less a Dutch translation of this post). Passphrases are also recommended by Bits of Freedom. The source of the students was a bit dodgy however (claiming that the passphrase “This is fun” is secure forever!), so I decided to investigate.
This weekend I decided to change my Google account password. In response, Google sent me an email to the account address, notifying me of this fact. The email told me that if I did not change my password (and apparently someone else did it for me) I should click on a link to reset my password. Excellent service right? Until I realised we are all doomed!
In our IRMA project we are implementing attribute based credentials on a smart card. In fact, we are developing a proof of concept for the Dutch Ministry of the Interior, to show that this technology can, in principle, be embedded on a national identity card to support eID functionality. One important other application of eID’s are digital signatures. The use of smart cards (combined with secure terminals) allow the generation of so called qualified digital signatures as specified in the law. How should these two applications be combined on one smart identity card?
Technically it is feasible to provide privacy friendly identity management, for example by using attribute based credentials (ABCs). We are currently demonstrating their applicability in practice, even on smart cards, in the IRMA (I Reveal My Attributes) project. However, the use of ABCs in the real world is still very limited. One of the factors is the lack of a business case that supports the (substantial) cost of establishing an identity management infrastructure. In this (rather long) post I will sketch the issues, and indicate certain ways in which I think money can be made in an identity management infrastructure. The analysis is sketchy, primarily because I am not an economist. I would love a discussion on this topic, to advance the ideas in this post further.
IRMA versus Frau Mustermann, take 2: the advantages of attribute based credentials over a more centralised approach.
In a previous blog post I discussed the difference in security and flexibility between attribute based credentials (used in our IRMA project) and the German eID system. Now I will discuss the additional privacy protection offered by attributed based credentials, compared to a more centralised approach where attributes are stored on one or more central servers.