The story concerns a fraud against Lehman Brothers in Japan. They lent a Japanese company $350 million, The load was guaranteed by a well-established Japanese trading house. Bankers from Lehman met an executvie from the trading house — at the trading house’s office — to sign the contract. When the firm in question defaulted, Lehman went to the trading house to get their money, but the trading house claimed no knowledge of the deal. The executive had been an imposter and the contract was fake. When someone gives you their business card, you assume that it is true (by custom and practice — you don’t explicitly validate it) and when they put a letterhead in front of you, you take it to be real. Oops.
Now imagine how it should work. I’m down at the printers and I order 500 copies of some flyer: let’s say, for example, the Consult Hyperion newsletter, that august journal CHYPpings. What’s the point of me showing them a business or a letterhead? Or physically signing anything? What should happen is this…
I open up my phone and select my identity application — downloaded from the operator, or the government or wherever — and it asks me who I want to be, In the pop-up menu is "Dave Birch from Consult Hyperion", "An Executive Officer of Consult Hyperion", "David Birch" and "The Notorious 15Mb".
The virtual identities in the pop-up menu are actually public key certificates stored in the handset. Each one has a corresponding private key in the SIM (some of the virtual identities share the key pairs, or digital identities as we call them).
- "Dave Birch from Consult Hyperion" is signed by Consult Hyperion.
- "An Executive Officer of Consult Hyperion" shares the same public key as "Dave Birch from Consult Hyperion" but it is signed by Barclays Bank because Executive Officers are allowed to sign cheques (etc).
- "David Birch" is signed by me.
- "The Notorious 15Mb" is signed by WordPress to prove that I own the blog 15Mb.
Don’t try and resolve the certificate chains, they’re just made-up examples. Anyway, I select the second. So when I touch my phone to the other guy’s phone, that virtual identity is transferred to his phone. His phone resolves the certificate chain (his phone already has Barclay’s root certificate cached) and away we go. Now he has a business card that is far more useful than a piece of cardboard: not only does it go straight into his phone book, but it can be coloured green because it’s been attested to by a third party that he trusts (ie, Barclays). And digital signatures mean that no-one can forge their "business card".
The identity transaction between us is taking place not in some kind of virtual reality but in what Umberto Eco would call a "hyper reality": not reaiity as it is, but reality as it should be. Not an emulation of cardboard business cards but something better than cardboard business cards. This really ought to be a guiding principle in the identity cards world.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
It is somewhat an irony that if anybody uses digital signatures in practice (for signing documents), then it is the financial insitutions.
Yet, I am still surprised at the limited attention given to one aspect of the recent SocGen scandal about fake emails:
“The bank’s general inspection department highlighted Kerviel’s use of fake e-mail messages to justify missing trades and the borrowing of colleagues’ log-in credentials to conduct trades in their names.
Investigators identified at least seven occasions on which Kerviel faked messages between April 2007 and Jan. 18, four of them referencing trades that never existed. The deception was eventually uncovered when they could find no trace of Kerviel receiving the purported messages in Société Générale’s e-mail archival system, Zantaz.”
source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9063680
What happened to simple verification of headers/signatures of their authenticity?
The article goes on to mention a special committee recommending the use of biometrics etc. It seems to me that this is not addressing the root cause of the problem: poor verification of digital signatures (or lack thereof?) on internal emails for confirming trades (or lack therefor).
[Dave Birch] Thanks for highlighting the SocGen example.
This is more or less a restatement of the PKI business case. Unfortunately we have about 15 years experience now showing why it doesn’t work (click for a long list).
To my mind it can not work to do what you want: to render the Lehman case of historical interest only. The bankers concerned broke the rules of due diligence, and paid the penalty. Those rules would not change with the advent of PKI; standardised PKIs are generally not reliable nor useful enough to let them play any part in such a protocol. To do that, you have to look at the first principles of the protocol itself.