_ _ _ __ | |__ | | ___ __ _ | '_ \| '_ \| |/ _ \ / _` | | |_) | | | | | (_) | (_| | | .__/|_| |_|_|\___/ \__, | |_| ...2017-02-27 |___/ Getting through the point I'm bad at that, example: I asked the question: "Is there a public API that any site can use to determine if a visitor has the right to vote in the state of Denmark ?" Now, I had hoped that this would launch an interesting discussion about the state of our IT infrastructure, mainly, why we are using so-called "CPR" (Central Person Register) numbers as unique, safe and verified tokens for personal identity. It's insane! Basically, every person has a unique number, where the last 4 digits are a serial, and even serials are given to one biological sex and uneven to the other. Now, I don't care about the whole sexual identity discussion at all, what I care about is that effectively, if someone comes to learn when I am born, and my gender, the search-space to my person number, my identity as a citizen in this country, is less than 5000. Back to the topic, the responses I got were not even remotely related to the discussion I wanted to start. I thought it would follow, that if such an API was to be created, the CPR system would have to change. Persons would have to be assigned secret numbers, which could never, or close to never, be disclosed to _ANY_ system except the central register, which would be tasked with little less than keeping track of those private numbers and their derived identities. I'd love to talk about why we don't push to get that done. Now, for my original question I know the answer is no. But what's interesting is not the next question ("Why not?") but the answer to that question. I think the answer is technical in nature. One may say "privacy!" Well only if the technology is crap! There's no technical reason why I couldn't get the information "does whomever is visiting this page have the right to vote in the state of Denmark ?", and nothing else. There's no reason that the government should have to trust anyone to handle our primary identity keys! It is grossly irresponsible at best! I'll wager that more than 10.000 people could, with very little effort access my personal identification number at this time, because of the extremely wide use of that number for everything from opening a bank account to owning a cell-phone. Think about it, what does the bank need of me? What are the questions that a bank should be allowed to ask? Is this person already a customer in this bank? What is a unique identifier for this person? Those two would seem reasonable. Does my bank need to know my name? No, I don't think they do. Do they need to know my address? I don't see why. Do they need my email address? Nope. They may need to be able to contact me. That's easy enough. "What is a public key for messaging this person?" Encrypt text using key "Send this message to this person and invalidate the key" Maybe I broke some banking law, "We'd like for this person to be charged with.." Now, don't get me wrong, I'm not a cryptography expert, I'm barely capable of handling a calculator, so I'm not proposing an exact API, but I'm stating that creating such as system is technically possible. It's even possible to make it in such a way that I, as a person, will be in absolute control over which data different instances access about me. I should be able to pre-deny/approve which API calls, which questions I would allow my bank to make. Surely, they'd be in their right mind to refuse me as a customer, would I not give them at least the permission to get a derived ID for creating me as a customer. But I should be the one in control of that. There's little reason this should not be possible to implement in a way where very very few attack vectors of interest are exposed. But then again, what do I know Useless I've been absolutely useless today, I hate those days. I hate it when I fail to create anything of value. Thing is, one can not just think themselves better, one has to constantly strive, and to be in the right headspace for creation and when one is not, one has to _insert_magic_here_. I don't know how to do that, it just comes somehow, maybe externally, I've no idea, but today I couldn't get it done, so I was just useless. Then I came home and continued to be useless, the day is now over, and I've done nothing of any value to anybody, not even myself. -OUT