[OLPC Security] Periodic identity updates

Karl O. Pinc kop at meme.com
Sun Feb 18 16:18:50 EST 2007 

On 02/18/2007 11:59:34 AM, Simson Garfinkel wrote:
> On Feb 18, 2007, at 12:04 PM, Bryan Berry wrote:
<snip>
>> This technically
>> trivial solution could
>> seriously dampen the resale market for XO's.
<snip>
> How would your proposal dampen the resale market of the XOs to a  
> greater extent than the current system?

Hello,

A thought jumped out at me when I read the Bitfrost spec
last week.  I think it might reduce the resale market
on both the supply and demand end.

The concept is to annually update the child's identity;
the identity established in Bitfrost section 4.

The annual identity update would consist of taking
a new picture, reducing any old pictures to thumbnails
(or slightly larger than thumbnails), and re-signing the
thumbnails and the new picture with with the
original identity.  This would produce a new identity.
The new identity need not be transmitted to the central
authority but can itself be authenticated
using the original identity.  The new identity could
be transmitted to the local OLPC server.  It probably
should be for backup purposes and to make it easy to
authenticate.

Annual picture updates can be enforced by a policy
similar to the P_THEFT expiration policy. This proposed
P_ANNUAL_IDENTITY policy could be disabled by the
local authority, the manager of the local OLPC
server for instance, if the child is, for instance
to transfer to another school.  As part of
the initial boot process (Bitfrost section 4)
the lifetime of the P_ANNUAL_IDENTITY policy could
be set to allow for an automatic expiration
at the time the child is due to graduate from the
issuing school for instance.  The "lifetime" of
the P_ANNUAL_IDENTITY could also be reset at the
time of annual identity update/P_ANNUAL_IDENTITY
lease renewal should a child be held back, skip
a grade, etc.

The motivation for the new identity is twofold.  First,
even over the expected 5 year lifespan of a XO a child's
appearance can change significantly.  Having a recent
picture associated with the laptop will help in the
recognition of laptops that are not in the possession
of the their assigned owner.  This can be augmented
by ensuring that the "current identity" is, by
default, ubiquitous in common situations or situations,
like the beginning of the school year,
when an authority is present and the child's identity
itself is validated.  The following
events come to mind as good times to display the
thumbnails and current picture that are the visual
components of the "annual identity": On annual
identity lease renewal.  On boot.
On wake-up from sleep.  As something that appears
when a recipient validates the source of an
email.  In this respect I'm sure that the use
of the "annual identity" is no different from that
presumed by the current Bitfrost spec.

The thumbnails provide a check against transfer
of the laptop to a new child.  It should usually
be clear that the child pictured in the thumbnail
of the original activation is not, for example,
the same child as pictured in the thumbnail of
the subsequent annual update.  The larger pictures associated
with each "annual identity" could be retained
on either the laptop or the local OLPC server
for further validation if required.

The second motivation is that children generally
like the idea of growing up.  To have an annual
identity with the child's current picture allows
the child to project a up-to-date self-image to
the world.  This enhances the desirability of
the XO laptop and, together with disablement
of the XO upon violation of P_ANNUAL_IDENTITY,
should reduce an XO's resale value.

That's the rough idea.  The notion of identity
becomes "indirect", the "annual identity" being
something that itself has to be authenticated.
I'd hope there'd be enough storage on the XO to
store 5 years of annual identity -- I proposed
thumbnails be used because of storage and bandwidth
concerns.  Another obvious question is whetherthe XO has
enough computing power to be able to both authenticate
something signed by the "annual identity" and authenticate
the "annual identity" itself.  The power required to
authenticate doubles, but in most cases the time required
probably need not double because authentication of the
identity itself might be able to happen in the background.
Caching and so forth could also make life easier, for instance
caching of an already authenticated "annual identity"
belonging to a frequent email correspondent, etc.

Another question worth exploring is whether an annual
identity renewal is worth the effort, given that
a child can always request a developer key, disable
all security policies, and sell the XO.  My only thought
on this question is that even if a P_ANNUAL_IDENTITY policy
may not be worthwhile from an anti-theft perspective,
I do believe that an annual update of child's digital
picture is very worthwhile from a psychological perspective
because of the strong association between a child's physical image
and her internalized self image.

Maybe "current identity" would be better than "annual identity"
as a name.

I apologize for not having thoroughly thought out
this notion, but I've already sat on it for a week
and figure that it's developed enough for comment.
I apologize also for not being rigorous in my
cryptographic terminology; I'm afraid my brain
is currently devoted to other matters.  I hope that the idea is
clear enough for discussion regardless.  If there
are any questions I will try to respond.

Regards,

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein

More information about the Security mailing list