Like many others, the UK government is mulling an identity card system. I welcome it, with reservation...

If the card will electronically provide multiple identifying characteristics for an individual, then it is possible that there could be at least some market for the characteristics of that individual. An identity harvesting crime similar to skimming could have some some commercial benefit, even if it is impossible to clone the ID card itself.

The point I am trying to make is that the card should not say "Paul has brown hair, is 6ft 1/2inch, is male, lives in Henry on Toast in the UK", It should say "That is Paul" while at the same time authenticating itself using PKI with the UK government. It might suggest, "Paul turn to the left" or "Smile Paul" as it scans you via a provided video stream. Following that interactive session, it could pass judgement. It should be self contained, rather than delegate to some gate keeping computer, in the same way that a private key should not leave the machine doing the authentication in classic PKI authentication.

This, in summary, the very smart card could do all or any of these depending on the gate in question:-

1) Authenticate itself with issuing state, for the sake of trust from the gatekeeping entity [ Airline \| Passport control \| Traffic Cop] via PKI.
2) Purport to be for a person [ Picture, Name, ID number, Nationality ]
3) Authenticate person [ on card CPU/ROM, requires inputs, gives instruction; face recognition, fingerprint recognition, retina recognition, etc ]. The perils of the replay attack and corrupt gatekeeper acknowledged.

Oh, PKI in itself is not necessarily enough - the card could be physically tampered with after theft, and before revocation. Photographs have been able to be replaced in all generations of passport.

Prisoners of War are only required to give name rank and serial number, why should free citizens be required to give 20 other characteristics?

No doubt ID cards will come in the UK and be fucked up in more ways than just being a different size to Credit Cards.


April 22nd, 2004