I'm frankly surprised and a little disappointed to see a screen capture where the profile registration requires that level of real-world information: full name, birthday, and SSN#/Passport#/Driver's License#??
I
hope that the
only way in which that information is used is as a basis to generate the public/private key pair tied to an identity? And if that is the case, why should the keys necessarily be generated from information which is itself mediated by any nationality? Furthermore, why is the required information given with a bias to the nationality of the United States?
Keyhotee will, I hope and believe, be part of a
global information/currency freedom (and security) revolution. I therefore strongly suggest that the information used to create any identity be abstract enough to thoroughly disintermediate the generation of an ID from anything necessarily having to do with any one nationality.
I suggest changing the ID creation mnemonics to three "security questions," and providing a very long list of rather obscure questions which only someone who is not any kind of, uh . . . Superior Sibling . . .
would know. I also suggest that the name and birthday fields be optional, and that they be labeled "full name OR alias" and "obscure identifying number" (with a suggestion that SSNs, etc. are
not obscure enough.)
It should also offer a link to very specific suggested steps for absolutely securing the information provided to generate the ID (e.g. three different digital and three different paper backups, all secured at different physical locations where you can trust them to be absolutely safe), and it should very pointedly demand that this be the case
before it will allow the ID to be created. For the paper backups, that should be printouts of the information tied to the id, sent in nondescript envelopes, to three different people or locations (in sufficiently diverse areas of the planet) whom you trust with your life.
(Hint: an internet search for "excellent security questions" offers some really good leads)
I'm also a bit alarmed by the push here in some comments to tie a service which is disintermediated
by design into integration with other,
mediated services, for "security??"
A good spy can tell you that if any important information of yours is controlled by a third party (in particular companies or organizations), it is not a matter of
whether any adversary can cheat or extort to acquire that information, but
how motivated and resourceful they are.
If
any third party has access to any useful information about you, you should consider that information--and all information which is routed through that party--potentially public, period.
So, at the very least, if this aspect of the design of ID creation goes unchanged, I personally would recommend that anyone creating an ID provide harmlessly false instead of true information, if you want your Keyhotee ID
absolutely secured.
Topic: Screen Shot (Read 17942 times)
