Skip to Main Content
A strong identification system presupposes a strong notion of identity. The Internet, though, is multilayered; identity is different at each layer. My computer has three different MAC addresses and several IP addresses, including many IP addresses and logins for different instant message systems. If I switch computers, locations, or employers, several of these would change. Am I no longer myself? Sophistry, some would say; those could all be temporarily bound to my "real" identity. In that case, we already have pretty strong identification, in the combination of time stamp, IP address, and log files. Most online misbehavior comes from hacked machines; in turns, these machines have been hacked because of buggy code. Strong authentication is useful in many circumstances, but the bad guys don't have to go through the authentication system-they simply go around it. A strongly encrypted, strongly authenticated connection between a hacked machine and another target still lets the bad guys in, whereas identification does nothing but mislead the good guys. In other words, identification will be useful only when we don't need it because we've solved the computer security problem.