[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ga] Re: Banks (was: More thoughts on the ID-by-check-cashing idea)



I sent a note substantially identical to most of this to Mark
privately this morning in the hope that he would consider the
ideas for his next iteration and that the conversation would die
out.     Hasn't happened, so, FWIW, I've added a bit to it
and....

--On Tuesday, December 07, 1999 08:26 -0800 "Mark C. Langston"
<skritch@home.com> wrote:

>...
> So, for each region, we could find one or a small handful of
> people that would manage the "trust" for that geographical
> region.  Let's call them the regional trust managers, for lack
> of any better term.

I don't know that this is bad, but what you have proposed is a
very small step from a traditional certification hierarchy that
goes down the "bank" tree, rather than, e.g., the "postal" one.
And, in principle,  one could just do that -- find an
internet-interested bank, or bank-certifying body, in each
country, and let them sign keys based on the _ability_ to write
a negotiable check or equivalent instrument.    No currency gets
collected, so those issues don't apply.   

The only big problem --with this and with check-cashing
schemes-- is that banks have learned to be exceptionally
cautious about certifying "has an account" or "can write a check
without it bouncing" as distinct from "identity".   Even in the
US, I can open a lot of accounts.  I can print anything I want
to on the checks and as the account name --as long as I don't
intend to use what I put there to defraud or to violate
trademarks, but both of those problems are mine (and those I
send the checks to) to deal with, not the bank's. I am required
to give them a real name and taxpayer ID number, but they are
obligated by law in some states (and even stronger laws in some
other countries) to not reveal _that_ information except in
response to a court order.    

Of course, if you go back a few hundred years, bank-issued
letters of introduction and credit were a significant portion of
the identity papers/ mechanisms used by people visiting strange
cities or countries.  They predate the regular use of
state-issued passports by a _long_ time.   But, as with the
present system, "can pay his bills and does so" was more
important information for the purposes at hand than "is who he
says he is and doesn't claim to be anyone else".

And because banks are so careful to certify accounts and
instruments and not people, they are lousy sources of
information about _uniqueness_ of identity.  Yes, if there is an
account, there is probably a real person (or some sort of real
corporate entity) behind it.  But, in most countries that have
such systems, nothing prevents one person from opening multiple
accounts, often under different names, at different (or even the
same) bank.    As an example only, at least where I live in
Massachusetts (USA), if I have certain types of accounts at a
commercial bank, opening up an additional (subsidiary) account
is something I can do online with little more trouble than it
might take the people these plans are trying to protect against
to create a new persona.   And I can have it send out checks,
too, using all sorts of names and identities, as long as the
amounts involved stay fairly small. 

Ultimately, if one is trying to certify identity, one has to
either bring governments in or invent them.   That isn't a
matter of logic, but of definition or tautology: two of the
defining things that determine what sorts of things are
governments involves control of the legitimate use of force and
figuring out who is, and is not, subject to that government.
Either can be abused, often with horrible results, but that is
another property of governments.  Uniqueness of identity is even
harder and most governments, in situations where they care,
accomplish "no person gets more than one set of credentials"
rules primarily by threatening to do vile things to anyone who
figures out how to break the rules and then does so.

Web of trust notions are attempts to get decent identity
credentials working (without any real assertions about
uniqueness, which some consider a design feature) and without
getting governments and formal certification involved.  But, to
work well, webs of trust depend on contact networks, individual
perceptions of trust and reliability, and everyone's being very
clear on the difference between having someone identified
adequately with a key pair and whether or not that person can be
trusted.   It may be very hard to get that to work adequately
for the DNSO, for the reasons that have become clear in the last
few days. 

But a move down the slippery slope toward formal,
government-certified, certificate hierarchies is not a small
step, but a major change in direction.  Reliance on banks (even
independent of the issues raised above) ultimately depends on
government certification of those banks in the places where that
is done, and is basically useless elsewhere without direct and
specific knowledge on the part of the key evaluator of the
particular putative bank and its properties (and that takes us
back to "web of trust" rules, not "cert hierarchy" ones).  

And, again, as far as certifying that someone is one and only
one real person, none of this will accomplish that unless it is
tied to a strong national identification system with serious
penalties for violating its provisions.   Lots of countries
don't have those, and one would prefer to not get ICANN systems
entangled with some of those who do. 

I think this is, sad to say, a dead end.

      john