MAC addresses are not without authority delegation. The IEEE is the ultimate
authority in said case.
Any solution which requires uniqueness also requires a singular ultimate
authority.
Date: Wed, 17 Sep 2003 18:39:27 -0400 (EDT)
From: bdragon@...
Any solution which requires uniqueness also requires a singular
ultimate authority.
Or cooperation between multiple authorities. Of course, how
realistic is that?
Eddy
> If the goal were unique identification, MAC addresses would do just fine.
> No need for DNS.MAC addresses are not without authority delegation. The IEEE is the ultimate
authority in said case.
Yep... But have you seen any controversy about who gets which block of MAC
addresses recently? They're not scarce, and every block is just as good
as any other block.
Any solution which requires uniqueness also requires a singular ultimate
authority.
Not really. You can just take random numbers. If you have enough bits
(and a good RNG) the probability of collision would be less than
probability of an asteroid wiping the life on Earth in the next year.
There's no reason to use allocated MAC addresses, too; picking them
randomly on power-up is actually better from the privacy point of view...
however, a EEPROM and programming it at manufacture time seems to be about
1 cent less expensive than a built-in hardware RNG 
--vadim
> Any solution which requires uniqueness also requires a singular ultimate
> authority.
Not really. You can just take random numbers. If you have enough bits
(and a good RNG) the probability of collision would be less than
probability of an asteroid wiping the life on Earth in the next year.
That doesn't help in this case. You need a way to verify ownership of an
identifier. I don't want anyone else to be able to claim my identifier.
Perhaps we can devise a scheme where I generate a random number and morph
it into a 'private key'. Then I pass it through some algorithm to generate
a 'public key' which is the identifier that I use. I then use the private
key to prove my ownership of the public key. Nobody else can claim my public
key because they don't know the corresponding private key.
In fact, you could just use an RSA public key as the identifier directly.
This is likely not the best algorithm, but it's certainly an existence proof
that such algorithms can be devised without difficulty.
In fact, I'm going to call my patent attorney instead of sending this
email. 
DS
Even MACs aren't entirely unique. Some places used to assign MAC
addresses like they assigned IP addresses and the NIC had to be
reconfigured for the assigned MAC. An admin was freely able to assign a
MAC to Joe Blow using a 3Com or Cisco OUI without fear of retribution. I
personally have never seen any use in such a thing but obviously someone
did.
Justin
Too late. The details can be found in my final report for the US Army SBIR
program for developing "Security for Open Architecture Web-Centric
Systems".
--vadim
Why not IPv6 addresses? Some designated prefix? There are enough addresses
in 2^128 that we can all be happy...
That doesn't help in this case. You need a way to verify ownership of an
identifier. I don't want anyone else to be able to claim my identifier.Perhaps we can devise a scheme where I generate a random number and morph
it into a 'private key'. Then I pass it through some algorithm to generate
a 'public key' which is the identifier that I use. I then use the private
key to prove my ownership of the public key. Nobody else can claim my public
key because they don't know the corresponding private key.In fact, you could just use an RSA public key as the identifier directly.
This is likely not the best algorithm, but it's certainly an existence proof
that such algorithms can be devised without difficulty.In fact, I'm going to call my patent attorney instead of sending this
email.
Heh, you mean like the nym based security that djb mentions at
http://cr.yp.to/djbdns/forgery.html
I've also seen several other proposals for the same thing. Most of them
revolve around making a hash of the public key and using it as part of
the domain name.
Just so that I don't have to worry about somebody patenting any of these
variations a year or more in the future, here is a public disclosure:
A method for authentication where a public key is converted to a
representation usable by a DNS server and used as a domain name.
Conversion includes, but is not limited to, hashing, checksumming,
compressing, encoding, encyphering, translating to hex, binary, octal, or
other symbol system, or any other representation that may be returned by a
DNS server.
For the purposes of the following example the client is a device that
wishes to look up a record in DNS that allows it to communicate with a
server. A server is a device that communicates with clients.
The conversion may be loss-less or lossy.
If the conversion is loss-less then the conversion is reversed by the
client in order to determine the public key.
If the conversion is lossy then the complete public key is communicated to
the client by the server and is compared to the lossy representation used
for DNS by performing the same conversion. If the comparison fails the
authentication fails.
Mike.
+----------------- H U R R I C A N E - E L E C T R I C -----------------+