Deep security needs top-level thought
The Internet is inherently insecure. Take DNS, the Domain Name Service, which silently and invisibly directs traffic across the Net. To the user, this might as well not exist — type in a URL and there's the Web site. Yet behind the scenes, many different entities collaborate in deciding where the request should be routed and each may be compromised. Think how many ways a postal system can be tampered with between postbox and delivery van, and multiply by ten.
If you can't trust the post, you and your correspondents must be able to mutually verify that messages are from who they say they are. It's an age-old problem — witness the melting down of the Fisherman's Ring on the death of the Pope, a way of preventing abuse of medieval trusted signature technology. That's on top of being able to decide who to trust in the first place, how to keep information secure from those whom you don't wish to trust, and how best to manage access for those whom you do.
It is impossible to treat all these issues in isolation. Partial solutions such as Microsoft's moribund Passport scheme fail because they ignore the other components: Microsoft, neither your commercial partners nor your users trust you that much.
Slowly, the strands are coming together. PAOGA proposes centralised, independent and verifiable personal information storage. The Jericho Forum, an industry body looking at the future of corporate online security, has a compelling argument for an open, integrated, trust-based approach that could ultimately extend to personal use for independent users. Yet at no level, national or international, is a qualified and competent body considering the full range of regulatory and technical issues as a whole.
The free societies of the world are rightfully reluctant to regulate the Internet. Yet there need be no conflict between the essential Net freedoms of open development and use, and the ability to incorporate strong and trustworthy security mechanisms. Quite the opposite — in the absence of good regulation, we end up with questionable concentrations of power in the hands of commercial entities such as Verisign.
These are urgent matters for discussion, and we no longer have the luxury to wait and see what happens next. We need to see Internet security in its full context, as an essential requirement that affects all countries and all people, and one that needs the highest levels of openness and disinterested regulation. Without that, our problems will only multiply.