 You're kidding No, I'm not trading my own posse stickers for a speaker badge. I can get those anytime I want Dude, I gave this away at hacker jeopardy last night. I No, I don't want her underwear No, I mean the vinyl Vanna is crashed out in my room right now. I've got plenty of underwear to pick from All right, if you're still in this track for the next talk I still have a couple more badges so you can warn people if they have cool Shwaggy give away to trade for speaker badge That'd be cool. And now I'm I'm it's my somewhat distinct pleasure to introduce Seth Hardy somewhat distinct pleasure because every year I figure I'll just get this taken care of now because I have other crap to do right now is that Every year at Khan when he speaks here. I stand in the back of the audience and yell. Shardi is full of shit So now I'm up here and saying that right before he's about to talk. So Seth Hardy everybody I guess Nick already introduced me so the title of The title of my talk is your name your shoe size your identity. What do we trust in this web? I guess I'll just go right in and start I'll start with who am I now that Nick has already said I'm full of shit. That is It's true Just you wait you'll see so who am I and This is actually relevant for what I'll be discussing The name of my birth certificate is Seth Hardy. I believe it's actually capitalized on my birth certificate. I'm just kind of lazy Online I use the handle shardy This is relevant. You will see why Maybe you just don't give a shit about who I am You're just here to see my talk because you have seen that I've given talks before Maybe you don't care who I am at all and you just think all the talks here are cool But I've done this sort of stuff before and I guess that's why I'm up here again Again, this is relevant for the talk. I'm not just full of shit yet so I'm Seth nice to meet you all. I probably won't remember all of your names, but we'll try No So why am I giving this talk? Other than the the long long backstory to it I'll sum it up pretty quickly. I'd all started two years ago The key signing party at the Fifth Hope Yeah, it was a bit of a mess and then the key signing party here was even better and by better I mean non-existent There was booze me I did Nobody took them because people had either already signed them or didn't want them But is there anybody here who was at the DEF CON 12 key signing party any of the three other people who were there? Okay, so we have one out of three Yeah, there was there was booze, but not so much key signing and then I was part of the key signing parties at 21 C3 and then 22 C3 and All sorts of fun stuff happened there like people's keys getting signed when they didn't even show Very very bad things So it really prompted me to rant and by rant I mean talk in front of an audience about proper digital Identity management and that is what I will be discussing today. So Background who here uses PGP or GPG or anything like that. That's a whole lot of people. That's excellent Who here is familiar with the web of trust? Okay, who here is not familiar with the web of trust? All right, we got a couple people and I know that some of them are lying. So I'll give you the short short version the whole point of the web of trust is to do identity verification and trusting people when you haven't necessarily met them before so it's all about You say that you trust a friend and you trust that friend's judgment to introduce you to new people So even if you've never met that friend of a friend before you still have a reasonable Belief that they are who they claim to be It's just trust extension so that you don't need to meet everybody yourself Before talking to them because it's very infeasible So here's a diagram of a sample web of trust going from my key to other people's keys The first step removed from my key are keys that I've signed and personally verified After that are keys that I trust them because I trust the people I know as introducers That's all there is to the web of trust. It's a Conceptually very simple. It might be hard to explain in computer or digital identity terms But it's something that everybody here does every day if you have friends I can't guarantee that everybody here has friends, but if you do you do this all the time He was just in the dunk tank So here's an example web of trust Short short version. I don't know where this is from. I just pulled an image off the web and this is somebody's web of trust So I'm not here to discuss what the web of trust is just the aspects of doing identity verification and management, so I'm going to start with signing practices and You will see very quickly where this is going and you may or may not like it, but it might be funny So here the standard practices what you have to do are two things the first is you have to verify that the key is accurate and What that generally means is you check the fingerprint over a secure channel So you want to make sure that the key material? Actually belongs to the key that you think it's supposed to so if somebody is handing you a key Then you want to make sure that the key data that you get matches up with the key data that they're giving you If it's physically handed to you, that's easy if it's over the internet man in the middle of tax make that more problematic So fingerprint verification means you don't have to verify the whole thing You just have to verify a subset and it works The second step is to verify that the key ownership is accurate in terms of who does it belong to? So the general practice here is you check the name on the key Against some sort of photo ID so you ask to see a driver's license or passport you look at the name on the key And if they match up then you can be reasonably sure that the key belongs to who the key claims to be owned by and To verify the email address the common practice is you email your Signed key to the email address on the key And if they then get it and manage to upload it to a key server that it implies that they have access to read That email and it's actually theirs So pretty simple pretty straightforward in practice. It's not nearly so easy And here's one of the reasons why what do we do about pseudonyms or handles? What do we do about organization keys? Who is security dash officer at net BSD or does anybody know? Does anybody know who this person or people are? Okay, well, they've got 24 people who've signed their key and they have signed three other keys and they're only three hops from my key by four different paths and This key might belong to a team. It might belong to one person It might belong to a few people over the lifetime of the key. I have no way of knowing there's no Policy that I've been able to find that explains who is responsible for managing this key but because it is one identity It doesn't matter how many people are behind it that one identity is collectively asserting statements about trust on other keys and This is where the obvious problem comes in with digital identity management You don't have a clear one-to-one correspondence between people or a name or a face And a key and a lot of people treat it as such and to Enforce this one-to-one policy people write these extensive signing policies on what keys they will sign and what keys they won't sign and This is really a good thing because then you always know what you're getting when you see their signature on a key Even if it is completely detached from the framework of the PGP web of trust you can still go back and reference it if you want to So if you see a signature from somebody on a key and you have a signing policy you know what sort of verification for better or for worse has been done on that identity and There are all sorts of interesting key signing policies out there I'll start with a few simple ones and then get to the one that I really have some issues with and The reason for this rant So here's number one the don't make me call your parents clause Please note that I require the proof of identity Something even for people. I know personally this is taken directly from somebody's key signing policy on their website That's basically saying even if I know you and I've grown up with you if I don't see an ID of yours I don't have reason to believe or to trust you when you say this is who I am and This might make sense if you've never met the person before But if it's your childhood best friend that you've known for 20 years Then is there really a point of checking photo ID? Are there any Liabilities that can come from enforcing this sort of policy probably not but you're limiting what you can do and It just doesn't really seem to make sense. Does anybody here? Check IDs of friends every time they run into them in person after it's been a few years just to make sure they haven't changed their name anybody Okay, so This is mostly here to illustrate how Digital identity management is very very different from real-world identity management and it gets more fucked up than this so keep going Yeah, so how do you protect your keys? Yeah, I see that most people in the audience here use PGP But how do you all protect your keys? Does that does anybody have any fancy ways or do they just you guys just keep it on your computer? anybody Nobody does anything fancy Excellent. Well, they already do that for you but Anybody else? Okay, so you just keep an encrypted copy Anybody else have any fancy ways of doing this? USB key and a safety bug. Is that just a backup in case of problems? What about the keys on your standard machine that you use on a day-to-day basis? Who here has their PGP secret key with them at this conference? Can I see it hands? You're lying guys. Come on be honest. All right Not again Not again. I do I have my copy of my keys here When when somebody asks you how they keep track of your secret keys, it's You're not you're never gonna get a good answer out of it because to use something you need to have it accessible and The whole purpose of the system is to use it so best case scenario of reasonable amount of security is great but if somebody has this dream that people are Having five layers of security and never touch their keys to keep it safe then they're just eluding themselves into thinking that They are staying safer themselves by not associating with these people and that's not true and You will see more and more why as I keep going Does anybody here like have I offended anybody yet by pointing these out does anybody here subscribe to these policies if so Like just stand and start yelling at me I Nobody Okay Another signing policy is the not separation of user IDs user IDs are there for human convenience just so you can associate a key with a person and Some people have this policy that if one of the user IDs doesn't work They don't trust you so if your email is down for a day. They don't trust you if an email bounces because Your service providers disk is full then they don't know if they can talk to you encrypted because you're a very sketchy motherfucker all of a sudden I don't know why but They demand a satisfactory explanation and that is completely subjective and it How do you satisfy somebody that Wants to find fault it doesn't work and it just breaks the web of trust because then you don't build trust networks And you get these people who are security professionals Not really connected to anything But here's the best one. Nobody challenges photo ID Does anybody here not require photo ID when signing a key Please be honest. Okay, some people Can I see a show of hands for people who do require photo ID for signing keys oh Oh Almost everybody in the room raised their hands when they said that they use PGP so work with me here. Come on No, okay. Well photo ID is the thing that I'm really going to get into and This will all make sense Would you take this as a photo ID? Not not for me in general like if the person looked like that and his name was actually first middle last name I'm from the state of Massachusetts and my ID does not look like that. It's a few years old It looks similar, but pretty different and if you're using a blue book or some other if you I got this picture off of the Massachusetts government's website that they say this is what a mass state ID looks like So if you're using that as a reference for verifying photo ID you would probably not take my photo ID even though it is perfectly valid and It's it's real, but it doesn't look like this. So This one's all right though so far so good How about this one would anybody here take this photo ID? Is this guy here or something like I just grabbed this off the web because he scanned everything in his wallet and put it online I Don't know why you would do that, but this guy did I guess I guess he hates freedom or something Supposedly his but what would anybody here not take this ID if this guy was trying to get you to sign his cake One one point three. All right. Well, let's keep going. How about this one? Would anybody accept this one? I Mean with the face wasn't blurred out Anybody come on. Would you take it or no? Yes? Yeah No, why not? How about this one? There was actually a problem with this recently this X NYPD guy was going to a DOD building I think it was and he had to show ID and even though it specifically said do not take the matricula consular cards from Mexico I He brought a fake one I guess and used it and they granted him admission into the building and then it made the news it was pretty big and Their their excuse was you were already on the guest list But it is a requirement of entry to show a valid ID and this guy got into a DOD building I think it was with one of these so Maybe you see where I'm starting to go here. What about this one? No, why not? Yes, the too easy to forge. Okay. What about older? State driver's licenses that are made with the same technology. No too easy to forge. Okay Okay, so the the point being Brought up here is at some point IDs become too easy to forge Yes, you got it for $27 27 American dollars So if you've seen this one before please do not say anything I've got a t-shirt here and And let's not look at the expiration date on this ID and pretend that doesn't matter which it really doesn't But the first person that can tell me what's wrong with this ID will get a t-shirt Sorry Okay, yes So her last name is Lane Not Ellen period Lane. I found this ID when I searched for fake ID on Google images and It was one of it was a blog of hers this Sarah Lane I don't know who she is but she was writing on her blog about how she just turned 21 and this ID was great because it let her Drink for about three years and nobody caught the glaring error on it or at least nobody said that they cared So this is actually what a South Carolina driver license at that time looked like it. I guess it's It looks good it was accepted a lot of places and it had a very glaring error on it and yet nobody challenged it I don't know maybe I should track her down and ask her Or at least tell her that her pictures all over the internets now So does anybody here know who this is? Because here's her ID Ignore the rotten.com URL on it But here's her ID. Her name is Barbara Pierce. She lives at 160 Madison Avenue in Baltimore But for some reason doesn't she look kind of familiar? Did does anybody know who this is? Anybody What's her name? Why does she look familiar? Well, that's her father and That is her fake ID that she was busted with a while back I don't know if it's just a bad-looking ID or the Secret Service guys gave it away but she was going around underage drinking and This is I guess what a Maryland license looks like I have no idea Does anybody here know what a Maryland state license looks like? Does it look like that? Yes, okay So maybe you're starting to see what I'm getting at here And that's really reliance on photo ID just seems kind of silly So I don't know what a driver's license from South Africa looks like I don't know if you need a driver's license in South Africa I'm guessing you do but I don't know And if somebody Insists on showing photo ID And then they you know just show me a piece of plastic with a photo and a signature on it That may or may not work. It may or may not look anything like the real ID, but I wouldn't know And a lot of people say you can't fake IDs easily But on the other hand You don't need to fake the ID in many cases You just need to fool somebody into accepting a piece of plastic with a photo and a signature on it Even if the ID does look real or like what it's supposed to look like How many people hear Does anybody here work in a club's bouncer? Yes, uh, has it been difficult to spot fake IDs that are high quality? I wouldn't know how to do it Yeah, like if it looks like the real thing like are there secret tricks to identifying like how plastic peels Or if like you hold it up to the light and bend it It melts in a certain way or I I don't know these tricks and the bouncer friends of mine that I have Just say they just smile and nod and hand it back. So Yeah, if she's cute, it's real You know Ultraviolet, okay Yeah, yeah the the blue book, but it I've heard that it only shows current forms of ID Um, I had a friend who was from Maine And his license was a piece of paper with a photo stuck on it crooked And it was laminated using a cheap lamination machine and the the text on it was in typewriter Nobody would accept it anyways because it was the fakest thing they ever saw Except it was real it was just from like 10 years ago from Maine So the the blue book works, but it's not perfect and it it blocks a lot of people that may have real IDs So It leads to the question. How does a photo ID prove somebody's identity? You're you're not proving anything with a photo ID. You're just showing that they've Convinced the government or somebody who sells fake IDs that this is their name Uh, it is not proof of identity. It is Implying that the identity is correct, but it's not proof and a lot of people rely on it as proof and they shouldn't twice What shot shot and my laptop is now not working All right, which one of you assholes is fucking with me? No, really who's So What happens if somebody refuses to show an ID? And this is what happened at the key signing party here at defcon two years ago There was there were two people out of the four people who didn't identify by their real names They have both they they both were speakers at many conferences before so I identified them by handle on site I I already had an idea in my head the face to handle binding uh, but To some people that's not good enough and Having a uh having an ID helps but comparing it to social networking And reputation capital It just seems kind of silly that you're arbitrarily picking one system for identity verification and choosing to completely ignore another reputation capital systems are actually very interesting and A lot of people are working on them and it just seems kind of silly Well, how many people here and I know you're not going to want to admit this, but please be honest How many people here have a myspace page? Your people are losers. I mean Every time you work on a system like that every time you add somebody to your friends list every time you do something like that Live journal. Yeah, you're doing identity verification to a certain degree And you're operating on the system of reputation capital and a lot of times you're not using real names And you're certainly not checking photo ID before you add somebody to your live journal Why does it matter? If you're doing it from a crypto sense, yes, you need to be more careful But why are you cutting out this entire system of identity verification arbitrarily? And specifically in the hacker scene where a lot of people go by handles It seems weird that people will not accept the handle of somebody who has been up in front of You know, how many people are in the room right now? This many people on a number of occasions year to year they're going by the same name every year It just seems kind of silly that some people will be like, oh, well I don't know what your middle name that your parents gave you is So i'm not going to sign your key even though it has not It's not on your key. It has nothing to do with your key And as we all know verifying a handle is impossible. Uh, does anybody know who this guy is? Okay I've heard both dark tangent and jeff moss, which is it? Yes Does anybody say one or the other? Everybody says both Depends on the context, okay Okay, so it depends on the context and that's really the right answer It's it is one person who has multiple identities And as such The identities might be split out over multiple keys and they might be split out over multiple user IDs But it is two identities to one person Again verifying So who's this guy? All right, moving on User IDs are for human convenience and that's the point i'm trying to make here So the user IDs on keys bind identity information to key information. That's all they do It is not a statement saying that you are absolutely this person and you only go by this name It is just saying that The key material in this key belongs to the identity of this person so Does it matter whether you guys know me as seth hardy or shardy does it matter to anybody? Would anybody be offended if I didn't go by my real name here? No, that's a really good point If for those of you who might not have heard it, he said that Uh shardy is full of shit and seth hardy is not so I guess i'm maybe half full of shit I don't know But multiple identities and in this case, it's funny because I don't view those two as separate identities Uh shardy might be a handle, but it's also my first initial and my last name Everybody's always like is that a drug reference? I'm like, are you stupid? You know, it's It's not separate identities. It's just one is within a certain character women is easier to type in when I want to check my email um And some people are known a lot better by their pseudonyms like uh that guy Uh some people I guess I'm known equally between the two because it's not really a pseudonym But all I'm saying is multiple identities one person and oftentimes people who go by pseudonyms are doing it So that they don't have to give out their real name because they think that people like you are scary and Don't want you to find out who they are So that raises the question why do people restrict what identity information they'll verify and Open pgp standards supports photo user IDs. I've seen very few people actually use them But I think they're one of the best things ever Because if you see somebody and they're like, I'm not going to tell you my name you can still sign their key And you can know for a fact that this person is the person that you talk to Because you've you've seen them you you see them physically and It's very hard to man in the middle attack somebody else's vision so Denial of service is another matter entirely but The man in the middle attack that's harder So photo IDs are accepted But I've never seen a phone number as a key user ID And that's probably just because most people don't want to put their phone numbers on the key server network But it just I've asked people about that and they seem very genuinely surprised So now that that's all out of the way The real reason I'm talking here is because of the Bullshit I pulled at the hope 6 key signing party and my talk there on the web of trust It was all a setup for this talk Basically, I decided to go in and see how much I can get away with I gave a talk on pgp stuff and then I did a whole bunch of key signing events there And I just tried to see if I'm in a position of responsibility What can I get away with and if I just kind of smile and nod and act like I'm in control What will people let me do and the answer is a lot And there's also the question of how much do I have to pay for a crappy fake ID in New York City and the answer to that is way too much so Let's talk about my new IDs. I got a few of them varying from complete bullshit to somewhat legitimate The first one was an international student ID. It's real It's a company that makes international student IDs and by that I mean they print stuff on plastic and Have agreements with merchants to give you discounted stuff if you show their card That's real in some cases not real in other cases It certainly does not have strict identity checking and it doesn't have a government backing it up But it will get me discounts and I did have to fact in my expired student ID to get it So there was a basic level of paperwork checking that I did have to go through to get this piece of plastic Uh, then there was the overpriced chinatown novelty ID Which very nicely says right across the top like this is not real But it has a hologram the hologram cost me an extra ten dollars I figured the hologram for ten dollars would be a very wise investment because people would be like oh, shit It's got a hologram. It's got to be real I'll talk about that in a minute And then there was also like one of my friends found some guy's ID on a street corner And when I asked him if he knew where to get a fake ID, he's like here just use this guy's So I did Didn't work so well because the guy I looked nothing like him, but I tried I tried So This one cost me three dollars in Chinatown Nobody took it It didn't even get me into the three or three party last night. Here is my Chinatown fake ID By the way, this guy's a fed I know this for a fact. I'm his landlord. He's a fed But you can see across the top of the id it's his personal non-government Photo ID card for residents of massachusetts You can also see that they couldn't be bothered to come up with a mass state logo and have a generic united states logo For every single state there is But they gave me all sorts of interesting stuff like Letting me figure out which color I wanted the massachusetts bar to be and what kind of barcode I wanted Just for the record. That's not my real social security number It's also not my real date of birth, but it's close So this is one of the IDs that I use and you can see the holograms Seal of authenticity You can also see that this ID says that my credibility status is a c I found that very appropriate so One guy said he was from texas and he was like, oh, so that's what a mass ID looks like never seen one of those before Okay, I'll sign your key And then somebody else was like it's got a hologram. So it's got to be all right I told you the ten dollars was worth it More than one person Just saw the hologram and just immediately assumed it was real And I was I was so tempted to be like that cost me ten dollars I'm sorry that ten bucks I can go buy one for you right now And that ID got me into all the defcon parties this weekend, but uh, that's really not saying much It didn't get me on a plane, but then again, I didn't want to go to jail. So I didn't try But yeah, it's it looks nothing like a real ID and people People who were local to the area cried bullshit But everybody from other parts of the country just kind of smiled a nod and some kind of looked at me pretty suspiciously But some people completely bought it and this was not even a good ID It said right across the top. This is not a real ID And people people didn't even read it even after I pointed it out They just kind of looked at it and smiled and nodded and went okay And it was fine It said across the top of it that it is fake I And these people are security professionals So here's my new key It has three user IDs on it The first user ID says that I am that guy that talked about the web of trust I've talked about the web of trust a few times. I know this isn't very specific but it is accurate And when you're signing a user ID, all you're doing is saying that I state That I believe that this statement is true and I am that guy that talked about the web of trust I'm doing it now I'm also full of shit I've also got 10 minutes, which is pretty good because I'm almost done So the second user ID and I'm going to verify it basically right now Um, I wear size 11 ish boots Um, if anybody would like to come up here, I can show you that my two boots are the same size That I'll show you the size of my boots And then you can feel my toes on the other boot to see that they actually do fit And then you can sign my user ID that says I wear size 11 boots Plus or minus one half. These are actually size 10 and a half I need to see That same size and would you like to feel my toes? Come on, Nick Oh, yeah Does it fit? Just barely it fits, but just barely So you have Nick's word on it. I wouldn't trust nick, but What? You're wearing a suit. You're a sketchy motherfucker. So I also I want to wrap it up Nick far has a posse. Does anybody want a nick far has a posse sticker first person to come up here gets it So why wouldn't or Or actually Yeah, I was wondering why my phone was buzzing a whole lot, but let me let me turn on the ringer So people actually can hear it Anybody come on come on somebody somebody this is my phone Yeah, I might have crashed again It's even got a classy ring All right, so that's my phone number. Please don't prank call me Um So why why wouldn't people take these these IDs? I mean, are they less precise than what you usually get with a name and an email on a user ID? I mean Yes, yes, it is Um, so is it less precise than usual? I mean on my birth certificate My full name is Seth Michael Hardy and it's capitalized, but on my key. It's Seth Hardy Um, and do you care if it's less precise as long as you know who it is? You can stop now guys. Come on Like do you really care if it is my full information or if it's just Enough that you know who I am and can reference the key later on as belonging to me Uh less relevant. I mean the phone number is pretty important. I'm I'm not going to live this one down Everybody's going to be prank calling me two years from now and It's on the cd. No, these slides are not on the cd Um, I've got a basic set that's on the cd, but my phone number is not on the cd Oh, shit, it's on the db. Well, shit. I just All right So what's the goal of signing the key and the question is you want to talk to me Or do you just want to be a dick about I'm not going to sign your key because I'm not going to sign your key Some last thoughts before I wrap this up and answer and check my voicemail Identity management is hard, but we have a lot of practice doing it Everybody does it on a daily basis if you have friends and if you don't have friends now you can call me so User IDs are there for human convenience and you should take advantage of this because it is a very flexible and robust system That works because you've had a lot of practice doing it and humanity has had a lot of time as a whole fine tuning it And why do people trust bits of plastic over reputations? I don't know I'm a big fan of the reputation capital concept and I subscribe to it And I think you should too my personal viewpoint My personal viewpoint and you can agree with it or disagree as you see fit Some more thoughts Um, I'll start with that last one. Please don't prank call me. I'll be sad But I guess I've got a lot of new friends. Maybe I can like get some more myspace buddies out of this or something But I'm I'm interested in seeing whether people trust my keys more or less after this I am full of shit as nick pointed out. So That one that was not a real key It is a real key I just haven't uploaded it to key servers because I don't want my phone number on key servers Even if it will be on a def con dvd now So in a culture where pseudonyms are common I'm surprised that less people accept the concept of reputation capital Um, a lot of people will drop a handle instead of a name and people around here usually don't blank so Just something to consider Two new voice messages only two Please don't prank call me. I'll be sad Um, so that's it Uh, thank you very much for your time There's my fingerprint if you want it so If you ask questions, please come up to the mic Yes, you can call me back at three in the morning anytime you want to Oh, yeah, yeah, I can call you back. That's what I was going to say next like I got your number two bitches I got five minutes, bitch So, uh, are there any questions or I hate freedom because it feels so good to hate freedom Uh-oh, nick has got to answer All right, there's a reason that I'm saying this on stage during the second to last talk on sunday I issued I told lower level goons hoping that the message wouldn't get up and it doesn't appear to have but if you can come up With a thousand dollars for the hacker foundation and the instrument of death Meaning the 35 patty burger because actually internet will not Give you more than a 35 patty burger because that stretches out the default boxes that they have the standing rule Is if it's more than 35 you have to bring your own box That can also be arranged and don't get two side by side that that won't happen But a thousand dollar donation for the hacker foundation and the burger wherever it is presented to me I will eat it an answer to that burger shit It's gonna happen just you wait and shardy you have, uh Two minutes All right two minutes So do you are people actually going to go through the effort to get a fake? I mean if it's only in 10 dollars, yes, but a fake idea to do key signing. Is that seem like a legitimate threat model? I am Why would I want to sign your key then I guess Or why are you trying to get people to trust your key? What are you leveraging as an attacker to get someone to sign your key? Are they going to It's not an attack. It's just showing that i'm people are limiting themselves to a subset of Trust building that they can do and that the uh self limiting in the form of Security enhancement is producing no real benefits and is only limiting themselves from the things that they want to do Yep, thanks So wouldn't you also say that it's i mean uh identification is essentially worthless If you have a threat model that includes anyone that actually issues credentials, right? I mean anyone here that looks at an id I mean who cares if it's fake or not a real id is is is essentially fake as well If you don't know a person you shouldn't there comes a point where you have to accept risk If you didn't trust anything you would never be able to trust anything But but an id is is worthless. I agree with you, but most people don't That idiots anybody else Just just to clarify are you going to trust like a A different id like he was saying like like something that really looks legitimate or something versus something that doesn't look legitimate Is that or how else can you verify? Someone knew that you have any reputation with and they're not in this system yet Besides, you know shoe size. What other would somebody propose as a solution a reputation capital Uh, if if you can I if you have a way no matter how weird it is The user identity binding is for you and you alone So as long as you feel comfortable with how you are binding the user to the identity It's only there for your convenience. So if you can do it for yourself do it Don't don't restrict it based on photo id So if you're comfortable with it, don't say well, I haven't seen a photo id So I shouldn't if you're comfortable with it, then it's good Is there anything you can propose in the physical world that's going to be bound in this kind of system? As someone new coming up to you without Having already established that reputation system. I mean, okay Web of trust if you don't trust somebody and no contact implies no trust then Don't sign if there's no trust More of a comment than a question You also had this problem with organizations when I moved to seattle I went to the dmv and they got my birthday wrong and then told me I had to pay them another license fee to get it corrected Um, also those international student id people I used their travel agency once and they said are you a student and I said no absolutely not not for years Not in any way and they said great snap. Here's your student id. It gets you a discount. Here you go We're doing you a favor excellent Wouldn't the new national id system just get rid of all these problems? No because it would make one target for faking appear So I think I'm getting kicked off stage now. So you should have some tequila and