Everyone wants PRIVACY for themselves and
Everyone wants ACCOUNTABILITY from others.

It's time I learned about the tools of Authenticity.

 
 

Let's face it. Information security technology just does not work.

It's time we learned about Authenticity.

 
 

The Authenticity Economy will be bigger than the Internet.

We need to learn about Authenticity.

 
 

So, now I get it.

Authenticity is just PKI done right.

The Internet is broken

Learn why Stanford University says:
"The Internet is Broken"

Fix the Internet

Learn how:
"Authenticity will fix the Internet"

After the Web

Learn what happens:
After the Web

Registration Terms

Registration will be available soon:
Classes on Identity, Economics,
Attestation and Signing officers

Authenticity University

MIT Technology Review

says

"The internet

Is Broken."

Spam brings us

phishing attacks

that install malware...

... that in turn builds botnets

that steal our money

and identities

and reputations.

Fraud and predation

prevade everyday

online experince.

Identities - and cash - are stolen in batches.

As the information security industry assures us

"we're working on it,"

people grow ever more wary of their internet experience

Even as they come
to depend it upon more and more.

Underneath our security problems

are problems of inauthenticity

Our real problem,

the root problem is,

inauthenticity

People are not who they say they are.
Sites are not what they claim to be.
Hackers broadcast spam and malware

under your name

form your computer.

How we solve the problem of inauthenticity?

very simply:

We solve the problem of inauthenticity
with the proven tools and construction materials of

authenticity

Authenticity works

where

security technology

has failed us.

It gets better:

when you solve problems of inauthenticty, you solve a lot of
other problems as well. Security is just of them.

With authenticity, Our information
systems will be much more
manageable, effective, reliable
and easy to use.

Can we have authenticity?

Yes, absolutely.

Mankind has developed over centureis a set of methods and procedures to solve problems of inauthenticity, Those methods and procedures fit nicely with today's information technologies.

Historically, an

authenticity infrastructure

Consisted of

duly constituted public authority

(e.g. notaries, justices of the peace, consular officials, building inspectors, etc)

and a means of conveying that authority

(notary seals, wax seals, affidavits, oaths, jurats, professional licensing documents, etc.)

After all these years,

Authenticity

is still the solutions to problems of inauthenticity.

On the Internet, however, we need a better means of

Conveying authenticity.

And indeed we have it.




we could call it an

authenticity conveyance infrastructure

Or we could call it s late twentieth
century inventors named it...



It was named

public key infrastructure.

So if Public Key Infrastructure is so good, them why hasn't it solved all of our information technology problems?

EIGHT REASONS
why PLI has not fixed those problems

Or) Before you explain why PKI hasn't solved those problems, please explain what PKI is....

Before you go into that, what is public key infrastructure?
We'll explain by way of example.
You're probably aware that theives attempts to steal the account numbers and PINs from bank ATM cards by placing fake card slots on ATMs.
If those were PKI cards and machines, such captured information would be worthless.

You see, a machine based PKI presents a puzzle to the card, which contains a computer chip and a secret number that never leaves the card. After the user enters the correct PIN, the card tries to solve the puzzle. If the ATM receives the correct solution, then it knows the card must contain the correct secret number.
Of course the next puzzle presented by the machine will be different, so a solution to an earlier puzzle is of no use.

If you'd like to learn more details about this fascinating thing that has been called public key infrastructure, go to pkiuniversity.com.


If you'd like to learn why its very name is part of the reason for the problem, then click to see the next slide...

why hasn't PKI solved all of our information technology problems?

1. Implementations usually omit a vital component. Learn more

1.It omits the vital component.

By definition PKI cannot exist without private keys.But its name and specifications do not include them.
This is truly odd.
One of the twelve components of the Quiet Enjoyment infrastructuire is its Private Key Infrastructure.

2. Implementations usually omit a vital component. Learn more

2. PKI terminology can be bizarre.

pki experts have gotten used to saying things like "the user signs the file with his certicate..."
now the poor newcomer who has heard that PKI is good stuff and is trying to understand how it works is left scratching her head...


The term "certificate" refers to both a signed public key and to a certicate plus its corresponding private key.

Suppose you were being introduced to fruit science.

you:What is this?
Fruit scientist: It's an apple.
You:Tell me more about this thing called an apple.
Fruit scientist: An apple is an apple plus an orange.
Fruit scientist:So what do you think of fruit science so far?
You:i think I'm outta here.

Remember being introduced in middle school to a useful type of number called an "imaginary number"?
if you could get your beautiful mind around that then"a certificate is a certificate plus its private key"should present no problems for you.

For the rest of us a certificate ,whether digital or on paper, is an assertion that is signed by an authority, and the pen that signs the certificate is not part of the certificate.
In QEI the thing that signs the certicate is called a PEN (of all things).
The fact that this needed to be clarified says a lot about why PKI has been slow to gain traction. Of all the gobbledygook in information technology, this managing of the term "certificate" is among the worst!



*personal Endorsment Number, if you must know

3. PKI has developed a reputation for being brilliant but too complex for practical deployment. Learn more

3 .PKI has developed a reputation for being brilliant but too complex for practical deployment.



Now wait.Every time you go to a secure web page, you know,with the little lock icon and address that starts with ,you are using PKI.
You don't need to understand exponentiation in modular arithmetiv to do your online babking.This undeployability stuff is nonsense.

The good news is that your browser and email prohgram and other software are set up to use PKI.
THE Not so good news .The QEI community is stepping forward to guide you through the gotchas,particularly when it comes to establishing and using your own identity certificate.We dont't care how obtuse your software is,we'll get you signing and encrypting.



child3 We tear our hair out so you dint't have to...


But there's another reason why PKKI has gained this
undeserved reoutation for complexity.

PKI is not particularly complex.

It's just bigger than technology.

PKI has always the province of technologists.To a technologist, the important Certification Authority component of PKI is a piece of technology.

But if your're to do something more complex than build a tunnel between two computers whose owners have a business relationshio with each other than real public authority is called for. The Certification Authority is, first and foremost, a facility where duly constituted public authority is applied to document and procedures. It's much like the vital records department in city hall.
Technology experts consider PKI to be complex because this central element-the establishment and management of duly constituted public authority is outside their expertise.

4. Reliable identities of user, necessary for effective PKI, have been scarce Learn more

4. Reliable identities of user, necessary for effective PKI, have been scarce

After spending milliions of dollars on network security, corporations still have major security problems.
Meanwhile, your ATM card allows your bank to dispence cash with confidence from a machine on a city sidewalk.

The technology used by your ATM card is more ancient than the floppy disk.
so why are bank ATM networks generally secure, while corporate information networks, in spite of continous investment in the latest security technology, are barely able to keep ahead of intruders?
The difference is not about technology. The difference is about assumptions and architecture.

Your bank's ATM network starts with the premise that knowing who you are is the foundation of security.
If a trusted ci-worker asked you to share your ATM card and associated PIN, what would you say? Of course, they would never ask in the first place. If that co-worker asked you for your network password, what would you say? In many companies, collaborative work gets done by sharing access credentials, in spite of rules against it.
Identity is the foundation of Security. QEI makes information resources secure -- and manageable:
1.throught establishment of measurably reliable identities and
2.by bydesigning and building online spaces upon a foundation ofreliable identity, ATM, and Indoor standards and practices.
Bank ATM cards and networks have i fact developed some technology-based provkems lately. Click here to learn how PKI is solving those problems in some countries.

QEI includes detailed procedures for enrolling individuals either face-to-face or online. The resulting credential is accompained by a record showing its reliability-without disclosing any personal information.
The credential takes the form of a digital identity certificate, which is very much like the site certificates that secure sites whose address starts with https://. The certificate may be kept in the uesr's computer or, preferably, in a smart card, USB token, phone, watch, ring, or other device that is separatge from the computer.
Most importantly, the credential is designed to be used to establish identity anywhere, including places where it gives access to the user's money, reputation, relationships and other assets. For the employer, healthcare provider, bank or other relying party, that means it will be well protected by its owner.

5. Attempts at reliable PKI identity have not adequately protected users' privacy. Learn more

5. Attempts at reliable PKI identity have not adequately protected users' privacy.

Once you've created an identity credential that you can use anywhere, how do you keep nosy organizations from tracking everything you've done with it?
Some say we're already lost that battle, that everything we do is tracked by a few powerful organizations, that in fact personal privacy is gone forever.
Indeed, universal identity done wrong is a threat to personal privacy.
But there is very important other side of that coin:

Done right, universal identity is fortress of personal Privacy, reversing the erosion of privacy we've seen in recent years.
QEI actually accomplishes that elusive goal, long sought by privacy activitsts, of putting people in real control of the disclosure and use of information about themselves.
We invite you to thoroughly examine QEI's personal Information Ownership Infrastructure component to see what we mean.

6. PKI has conveyed authenticity without requiring a legitimate source of authenticity. Learn more

6.PKI has conveyed authenticity without requiring a legitimate source of authenticity.

How do you convey authenticity without first establishing authenticity?
PKI has been the domain of technologists. If we regard PKI as a set if excelent construction materials (Which it is) then those woo created it are like materials scientists.
Putting wekk-egineered materials to work requires architects and building insoectors and others whose professional licenses are issued by public authority and whose actual identity is attested by a vital records department, an agency withy duly constituted public authority.
QEI ensures that the word "authority" in the Certification Authority component of every PKI actually means something.

7. PKI deployments have tried to replace signatures of people with signatures of objects. That does not work. Learn more

7. PKI deployments have tried to replace signatures of people with signatures of objects. That does not work.

It's true objects are much easier and less costly to manage than people. You tell an object what to do, it does it.
But PKI is an authenticity conveyance infrastructure. It's an accountability infrastructure.
Exatly how to you make an object accountable in any meaningful way?

8. PKI, when done right, works to well. What?

8. PKI, when done right, works to well.

Our computers, operating systems, and application software have been designed to let their akers help themselves to information about you, your habits, your purchases.. your life.
QEI puts information about you under your control. Nosy organizations can no longer help themselves to whatever they want to knpw about you. That doesn't make them happy. despite their proclamations about how much they care about your privacy.

QEI also calls for digital signatures everywhere, while keeping personal information about the signer private. That yields accountability while maintaining privacy -- and some organizations seem to be threatened by accountability. And so those organizations will tend to lose the ability to snoop, while being held accountable for their actions. No wonder they've been slow to embrace PKI.
Some information technology departments have their own reasons for avoiding PKI...

Organizations avoid PKI because it calls for new assumptions.

Imagine telling your receptionist, "Please determine the intentions of everyone who enters the building, and also determine whether they are good or bad people."
If you think that's an unreasonable request, and if you know how a building works, then you are better prepared to judge information security approaches than are the information security experts.
The current practice of information security is mostly about determining the intentions and character of the sender of a stream of bits.
Problem: in most cases that is impossible.

When it is possible, it's because the intruder lacks skills or funding. In other words, information security products tend to deter the least threatening attacks. That renders many information security efforts ineffective or even useless. They treat your information facilities as a commando outpost, rather than the online office facilities that they really are.

PKI, if done right, offers something better...

If you apply reliable identities, building codes, professional accountability and architecture to PKI, you can build a very secure and effective online office building where you can keep your confidential information and have your meeting in quiet confidence.
these
*are very old concepts, information technologists are not used to relying upon concepts form the 19th century.
*involve things that are way outside of what information technologists are used to judging and managing
*imply a complete departure form the examine-the-bit-streams approach to security. Complete departures can be seen as risky to careers.

The application of some very old concepts to PKI can make it solve big problems. If you're a stockholder in a with an information technology department, you may want to show this message to the CEO.

Over the centuries we have learned a lot about how to make our homes secure and reliable.
Let's see how we can apply that knowledge to those online spaces where we spend more and more of our time - our information homes if you will...

Suppose your home had been built with secret passageways that you didn't know about. Suppose that every day, various intruders would enter through those secret passageways, open your file cabinets and place files in your folders. Sometimes they'd install devices in your rooms that would report back to them what you're up to.

That could never happen in your physical home, of course, City hall's building codes, building inspectors and occupancy permits would never permit such an obvious breach of the principle of quiet enjoyment in our homes.
But in that information home where you spend more and more of your time - your computer or phone - that's exactly the way it works. The little files are called "cookies." (Could they have chosen a friendlier, less alarming, sneakier word than "cookie"...?)

It's true, we often let trusted cleaners, child care people, neighbors caring for our pets and others enter our homes when we're not there.
It's also true that cookies and automatic software updates in our information homes can be helpful.

But what set of ordinances and rules govern the placing of cookies and nosy software in our
information homes?


And where do we find a city hall to make and enforce them?

And how would we know that those claiming to be trusted friends and service providers are who they say they are?

Take a lool at the answers to these other questions in the


World Trust Signatories
Association.


Learn more

Subscribe to Front page feed

Sign up for Authenticity News

Don't want to miss our interesting news and updates? Make sure to join our newsletter list.

Contact us

All inquiries should be directed to the email address below:.

Connect With Us

Related books are available through our partner PKIpress.com