And there I was thinking I had come home with my partner. Now I don’t know who she is.

(Report comment as abusive?)

They are wrong. It isn’t. Do some research.

(Report comment as abusive?)

Most people find visual identification extremely reliable. That’s why passport photos are so important and have to be signed by a responsible person. Indeed, I find it very easy and I have yet to mistake my partner in the pub and leave with somone else by mistake.

The PGP 128 bit key (above)is another example of perplexing misunderstanding. Given the self-projected breadth of your knowledge, if the encryption is as good as you now admit, perhaps you might like to work out your own way of applying it. You might even make some money.

Taking things out of context, mathematically dissecting the parts and drawing conclusions you want is not only a complete waste of time but advances things not a jot.

I am sorry to say that after all this I still maintain that ID systems have not kept up with current technology and the latter is defeating
the former. Personal information is now much more easly accessed and abused. With so many ID systems still reliant upon primitive checks the problems will only increase.

(Report comment as abusive?)

You’d have to explain how public-key cryptography should be used in the design of an ID card system. It isn’t magic dust that you can sprinkle on anything to make it useful and secure, but merely a tool which can be used in the design of systems. There are useless systems and insecure systems which use public-key systems.

If your reference to 128 bits in the context of PGP was not to a key length, to what were you referring?

You’ll also have to explain why an ID card would prevent impersonation of the type you describe.

(Report comment as abusive?)

Perhaps you are not aware of as much as you think you are. There again, perhaps I’m wrong.

You finesse the insurance criticism. As I clearly explained, insurance did not protect me but improved technology and systems might have done.

Did I say a 128bit number – I did not. My reference was clearly to PGP so there was no confusion on my side. I am glad you accept – at last – that there is such a thing as a secure 128 bit key. All you need to accept now is that such a system might be used for ID cards and we’re home and dry. We might then return to the more interesting questions – if we could be bothered.

(Report comment as abusive?)

Unlikely. The error rates in comparing photo ID for untrained personnel are so high as to make it a virtually worthless security check. Again, see Anderson’s book for details.

"Digital photo ID provides a fantastically useful sieve, reducing the targets one might wish to track. It is not perfect but it’s good enough for what it’s used for at present."

As in automated face recognition? No, it doesn’t work at all. Sorry.

"I would not describe the principal in a national ID system as brittle it would be the government."

It won’t only be "the government" as a monolithic entity. What if every benefit office needs a signing key? What if they give a card reader to every police officer? How do you stop one of those escaping into the public domain?

"Really? I am the one who picks up the charges, either directly or indirectly. Insurance is not free."

True. In the credit cards case insurance costs are borne mostly by the merchants, though obviously they can pass these on to the consumer. But the same goes for the costs of technology — the difference is that the insurance actually protects you, whereas the technology probably doesn’t.

Factoring a 128-bit number probably takes an hour or so on a modern computer. You may be confusing 128-bit public keys — far too small to use — with 128-bit private (symmetric) keys, as used as "session keys" in modern public key systems. These are currently perfectly secure (brute-force search time much larger than the age of the earth), assuming good algorithms.

(Report comment as abusive?)

Chris – The people I meet in ASDA are perfectly capable of distinguishing one person from another on sight. Photo ID is probably the most commonly used form of ID after signatures.

Digital photo ID provides a fantastically useful sieve, reducing the targets one might wish to track. It is not perfect but it’s good enough for what it’s used for at present.

Perhaps more on the use of surveillance and intelligence gathering cameras later.

I would not describe the principal in a national ID system as brittle it would be the government. I will hunt down the book you refer to. I think you might enjoy reading Levy. How long do you think it would take you to crack a 128bit code on a single standard PC?

In fact one fraudster applied for a card in my name, managing to break through the so-called security and then went on to make a purchase with it.

"Your security arises from the fact that you are, through the card issuer, insured against losses. All the rest is fluff that’s there to decrease losses to the bank."

Really? I am the one who picks up the charges, either directly or indirectly. Insurance is not free. One’s losses are not necessarily purely financial. Personation has a hidden cost. One rapidly finds oneself marked on the credit sites and that flows through in surprising ways with unpleasant knock-on effects. It takes a long time to sort it out and the cost of that is carried by the vicitm. One does not know of the fraud until one suffers the consequences. Insurance is not security – it provides financial recompense for loss. Some losses can never be adequately covered,the loss of one’s credit status/integrity in the middle of a time limited transaction opportunity, for example. Insurance may also reduce security and attract risk. It has a peculiar psychological effect on both the insured and the criminal. My security was compromised because of someone else’s totally inadequate ID procedures – hence the interest in ID’s. One might even argue that my security was compromised because of complacency arising from someone else having insurance cover.

For me, there was, what is quaintly described as, ‘uninsurable loss’. ID systems have not kept up with current technology and the latter is defeating the former. Insurance discourages improvements in security when the insured is able to pass his costs on to the victims.

(Report comment as abusive?)

The low level blue cameras on the roadsides are for monitoring traffic levels (see, e.g., the BBC’s traffic web cams). They certainly can’t see drivers’ faces, though they may be able to read numberplates. "Duplicate" fingerprints have been found; in any case the problem is not the uniqueness of fingerprints — not assured, of course — but how easily automated fingerprint readers can be spoofed — very easily, it turns out. Iris scanners can be spoofed with photographs. The fact that internet banking is used by lots of people who trust it with their money does not mean that it is secure.

It doesn’t matter whether the "average" thief can do this — though with instructions, they probably could. What matters is whether enough dishonest people get involved in brokering fake ID. If society starts to rely on an ID card, you can bet that there will be such people.

Public-key cryptography is organisationally brittle because you have to establish a chain of trust between every principal in the system. That is, if I am given a public key, then I know that I can securely communicate with anybody who has that key. But I don’t know who does have the key. To place any trust in the system, I need to know who can read my messages. So I need to arrange that there are well-known keys which are used to sign the keys of everyone else in the system, usually on a hierarchical basis. That’s fine, but as soon as one such key is compromised, great swathes of the organisation can be impersonated (or eavesdropped on). If you want to base an ID card scheme on public-key cryptography, you’re going to have to distribute keys very widely in order for it to be useful, increasing the chances of a compromise.

(You would, by the way, be mad to use PGP with a key length as short as 128 bits for the public-key side.)

You mention being the victim of credit card fraud, and say that you — happily — lost nothing. This is a nice illustration of where the security in a credit card system is: it’s nothing whatsoever to do with the security of the bank’s computers or the competence of the people handling transactions. Your security arises from the fact that you are, through the card issuer, insured against losses. All the rest is fluff that’s there to decrease losses to the bank.

(Report comment as abusive?)

(Report comment as abusive?)

We have relied upon photographs for identification purposes for years. I think you will find that the security services have made great advances on digi-photo ID. The low level blue cameras on the roadsides are not speed cameras. Voice ID is also used for intercept sifting. Fingerprint experts state that where they find 17 matches (ridges, forks etc) they have never found a duplicate. They are pretty damn reliable. Iris’s ditto? You say not – why? Most internet banking works on passwords, maiden names PINs and IDs and people trust the system with their hard-earned. I was asserting that faking up the whole caboodle would not be easy for the average thief. On a computer ID web a duplicate would show up. Even now one sometimes gets calls from credit card companies checking computer generated card use anomalies. PGP is exactly what is says it is – Pretty Good at 128 bits.

I agree that nothing involving humans can be wholly reliable but can the current systems of ID be improved? I hope they can. Twice this year I have suffered crude personation attacks to obtain credit. I lost nothing but one firm sent out goods on the most ridiculously flimsy proof of ID – name, initials, correct full address – the CC company saw no problem with sending the goods to one person and the bill to another (me).

I am very interested to hear you think public key cryptograhy is "organisationally brittle". Have you read Levy? Where did you read this and what does it mean?

(Report comment as abusive?)