_ _
_ __ | |__ | | ___ __ _
| '_ \| '_ \| |/ _ \ / _` |
| |_) | | | | | (_) | (_| |
| .__/|_| |_|_|\___/ \__, |
|_| ...2017-02-27 |___/
I'm bad at that, example: I asked the question:
"Is there a public API that any site can use to determine if a visitor has the
right to vote in the state of Denmark ?" Now, I had hoped that this would launch
an interesting discussion about the state of our IT infrastructure, mainly, why
we are using so-called "CPR" (Central Person Register) numbers as unique, safe
and verified tokens for personal identity. It's insane! Basically, every person
has a unique number, where the last 4 digits are a serial, and even serials are
given to one biological sex and uneven to the other. Now, I don't care about the
whole sexual identity discussion at all, what I care about is that effectively,
if someone comes to learn when I am born, and my gender, the search-space to my
person number, my identity as a citizen in this country, is less than 5000.
Back to the topic, the responses I got were not even remotely related to the
discussion I wanted to start. I thought it would follow, that if such an API was
to be created, the CPR system would have to change. Persons would have to be
assigned secret numbers, which could never, or close to never, be disclosed to
_ANY_ system except the central register, which would be tasked with little less
than keeping track of those private numbers and their derived identities.
I'd love to talk about why we don't push to get that done.
Now, for my original question I know the answer is no. But
what's interesting is not the next question ("Why not?") but the answer to that
question. I think the answer is technical in nature. One may say "privacy!" Well
only if the technology is crap! There's no technical reason why I couldn't get
the information "does whomever is visiting this page have the right to vote in
the state of Denmark ?", and nothing else. There's no reason that the government
should have to trust anyone to handle our primary identity keys! It is grossly
irresponsible at best! I'll wager that more than 10.000 people could, with very
little effort access my personal identification number at this time, because of
the extremely wide use of that number for everything from opening a bank account
to owning a cell-phone. Think about it, what does the bank need of me? What are
the questions that a bank should be allowed to ask?
Is this person already a customer in this bank?
What is a unique identifier for this person?
Those two would seem reasonable. Does my bank need to know my name? No, I don't
think they do. Do they need to know my address? I don't see why. Do they need my
email address? Nope. They may need to be able to contact me. That's easy enough.
"What is a public key for messaging this person?"
Encrypt text using key
"Send this message to this person and invalidate the key"
Maybe I broke some banking law, "We'd like for this person to be charged with.."
Now, don't get me wrong, I'm not a cryptography expert, I'm barely capable of
handling a calculator, so I'm not proposing an exact API, but I'm stating that
creating such as system is technically possible. It's even possible to make it
in such a way that I, as a person, will be in absolute control over which data
different instances access about me. I should be able to pre-deny/approve which
API calls, which questions I would allow my bank to make. Surely, they'd be in
their right mind to refuse me as a customer, would I not give them at least the
permission to get a derived ID for creating me as a customer. But I should be
the one in control of that. There's little reason this should not be possible to
implement in a way where very very few attack vectors of interest are exposed.
But then again, what do I know
I've been absolutely useless today, I hate those days. I hate it when I fail to
create anything of value. Thing is, one can not just think themselves better,
one has to constantly strive, and to be in the right headspace for creation and
when one is not, one has to _insert_magic_here_. I don't know how to do that, it
just comes somehow, maybe externally, I've no idea, but today I couldn't get it
done, so I was just useless. Then I came home and continued to be useless, the
day is now over, and I've done nothing of any value to anybody, not even myself.
-OUT