Subject: Re: Q: Can you build an authentication system on OS?
From: "Stephen J. Turnbull" <turnbull@sk.tsukuba.ac.jp>
Date: Tue, 10 Jul 2001 15:06:11 +0900

>>>>> "Shiraz" == Shiraz Kanga <skanga@bigfoot.com> writes:

    Shiraz> In either case if I create the data then I should specify
    Shiraz> how it is used

But what does "create data" and "specify use" mean, and how do you put
it into a license?  Eg, how do you "create data"?  Take your name,
"Shiraz Kanga".  Your parents (I assume) gave it to you.  Was that
"creating the data"?  But (again, I assume) part of it is a family
name, so by social custom they weren't allowed any creativity in that
part.  Next, you (or your system) put it in the headers of your mail.
Is that where "data is created"?  Then I discovered it on the headers
of your mail.  Is that "data creation"?  If not, how is that different
from discovering paintings by prehistoric man in a cave?

How can contributions of data intended for publically accessible
databases served on the Web be covered by the same legal ideas as
personal data stripped from your hard drive by Prodigy or Passport?

I'm not asking for a legal document; I just find the whole concept
very confusing.  At the moment it seems to me that basically a bunch
of people feel screwed about the way that data they provided to a
compiler/publisher/vendor in some way was used.  I agree that in the
examples given the outrage is justified, but I see no attempt yet to
define it except "uses of data with some relation to a person that
pisses that person off."

Back to authentication, specifically:

    >> >> While it may be possible that .NET could still control the
    >> >> authentication infrastructure and keep data at the edges of
    >> the >> network, i cannot see how this could happen.

    Shiraz> There are probably many ways [...].

    >> Of course there are, and that's where we need to attack.

    Shiraz> How do you attack this. I do not follow your argument
    Shiraz> here.

The point is that we need to show that authentication can be separated
from the actual processing of the data.  If we can't do that, the door
is wide open for proprietary systems to monopolize the data processing
of their authentication customers and vice versa.

    Shiraz> I do not think we can rely on spreading the word and
    Shiraz> hammering on the facts.

Who said "rely"?  The point is to create public awareness that (a)
Microsoft's vision is bad for them, here and now, and (b) that there's
zero benefit from it to anyone but Microsoft.  Without awareness of
those facts, people will be willing to accept the monopoly in return
for the (small but very visible) benefit of being able to put the
worry and inconvenience of authorization off on someone else.

The point is to show people that there is an alternative architecture
that does the job.  This will make them a lot more sympathetic to
measures to give them protection that they don't understand or want --
until they need it and don't have it.

    >> I think that, especially among small merchants, there is a lot
    >> of resentment of the "VISA tax".  I doubt they'll want to pay
    >> "Passport tax" on top of that.  It may be possible to spark
    >> interest in a free authentication service among them, simply to
    >> guarantee competition.

    Shiraz> Excellent point. However "free service" is something that
    Shiraz> will be exceedingly difficult to provide since a reliable,
    Shiraz> secure infrastructure costs $$$.

*chuckle+ "Free" == "open standard implemented in OSS."  Competition
is not to force price to zero, just to ensure it's not so high that
some people are shut off from access.


-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."