It really is as simple as that.

What is described here is the blueprint for the totally traceable database state.

http://lmgtfy.com/?q=zero+knowledge+systems

http://lmgtfy.com/?q=USB+sniffer

I’d better ask Peter at IBM whether they feel these issues are sufficiently taken on board in what they’re showing.

So how exactly can thisbe secure against all the existing hardware and software, which can already snoop, sniff, capture and probably replay, any of the data traffic on a shared Universal Serial Bus ? This has no inherent security at all, neither under Windows, nor under any other operating system.

Try a web search engine query for “USB sniffer”:

http://www.google.co.uk/search?q=USB+sniffer

i am not techy but still saw red lights going off everywhere … “this saves time. And it works online.” mmmm until someone cracks it or steals my details (or the details of someone who is stupid enough [or
hasnt got a good enough memory] and jots these pins down – or someone forces someone to reveal their pins. and then they clean you out,
transferring your money instantly to wherever with their new accounts and new companies (are the cayman islands into this yet??)

Software, drivers, windows compatibility with old/new releases ?

For pin -> code sequence its easy. PoS systems fake a HID device so need no particular support (its an extra “keyboard”)

Its interestingly old hat from the tech side – except for certs not just identifiers – so combining crypto stuff and ‘secure’ reader stuff

Obvious question:

If I can use the card to release auth permissions between people why can’t I just keep my personal data on a card, as I want, which bits I want and why do we need an identity register involved. Secondly on some diddly second device screen how will they provide as good enough UI to allow the user to really understand what is being authorised and to whom. If the explanations are on the main PC screen they are insecure.

Related problem unless they are very careful – I provide a cert to a web site that looks like say the DoT for a driving licence update. But a) how
do I know it is the DoT, and b) how do I know either the cert auth or request are not being tampered with if my PC was trojanned ?

For general purposes you can also extract certs from people trivially so they need to be carefully designed – otherwise every muppet will happily provide “proof of age” to random porn sites.

I place some malware on your machine, it asks whether you would like a free entry into the national lottery and asks for your PIN (to ensure you don’t cheat and enter twice).

I have now set up a bank account in your name… which I can use for money laundering, or just persuade your employer to pay in your salary to that account at the end of the month.

Next you set up a company the same way…

People are always setting up companies, making it simpler than a phone
call to your accountant will clearly make all the difference to the British economy going forward. (not!!)

Good grief, can they think of no better examples ?

Third, you set up a company bank account…

It’s not changing the lives of ordinary folk is it — and they’re the people paying for all the back end infrastructure!

… this saves time. And it works online.

Why is that a benefit?

I think I know why some people think it’s a benefit.

Take a look at my use case, http://dematerialisedid.com/Evidence/Verification.html. You will notice two differences compared with the IBM use case.

1. There is an emphasis on checking for revocation which is not mentioned in your brief description of the IBM use case.

2. There are people in it.

I think a lot of people are looking for secure services that don’t involve people, just authenticated book entries made on the basis of telecommunications.

IPS are trying to turn government into nothing more than a massive computer game.

And you know what, with games – they’re not real. Take the people out of the equation and the NIR and the Companies House records will instantly become detached from reality.

That is not a benefit.

… instantly, you have a bank account. Simple as that.

I reckon you’ve got a bank account when you can pay money into it and out of it.

… and you have a company, simple as that.

Does this company have the right memorandum and articles of association? Has it been correctly classified by Companies House? Is there a Minute of the Board’s Resolution to set up a bank account?

I didnt time the demos but the whole thing took maybe five minutes.

You still don’t have a personal bank account or a company bank account or a company, several days after the demonstration.

I can ring my man in the City Rd and order a company over the telephone and pay for it with a credit card in roughly a quarter of an hour and the paperwork all turns up next day in the post.

Where’s the benefit of involving the National Identity Register (NIR)?

Millions of us ran sceaming out of the house to open bank accounts all over the place to try desperately to keep our balances under the government guarantee limit. It wasn’t difficult. It didn’t nee the NIR.

Where’s the benefit of involving the NIR?

The bank takes a whole set of details from the NIR.

How? How does the bank get these details from the NIR? Via the Government Gateway? http://www.theregister.co.uk/2009/09/02/uk_eu_data_menace/

Do we want banks to be able to download data from the NIR?