Using a "pointer database" with Real ID:
Warning, we're going to get a bit technical here: I learned from an article at GCN Home, by Wilson P. Dizard III, that a trucker data base has been suggested as a model for Real ID. The problem people want to solve here is that checking everyone's documents in 50 states all the time, to satisfy Real ID security requirements, will hopelessly overload access to federal data bases. If so, you may spend five days renewing your license instead of an hour or two.
The suggested trucker data base is a called a "pointer data base" because, instead of containing actual data (like the details of your birth certificate), it merely notes whether such data exists in another data base. Checking a pointer data base to see whether a candidate already has other state driver's licenses would be much faster than checking other states' data bases to read the candidates other licenses if they exist.
This suggestion raises several red flags for me, for your consideration:
(1) It's possible there are ways to "game" a pointer system to subvert its level of security. I hope to get a comment from Bruce Schneier on this risk. In any case this is a new thing, and its basic level of security has not been tested yet, I think.
(2) Some states are already implementing computer software for Real ID, in order not to fall behind. Each of them is either assuming there will be a pointer data base or not; some of them will have reworking to do, depending on whether a pointer DB is used. This is just one of many, many possible examnples to show the risk of working ahead with neither final specs nor an agreed upon, common design.
The suggested trucker data base is a called a "pointer data base" because, instead of containing actual data (like the details of your birth certificate), it merely notes whether such data exists in another data base. Checking a pointer data base to see whether a candidate already has other state driver's licenses would be much faster than checking other states' data bases to read the candidates other licenses if they exist.
This suggestion raises several red flags for me, for your consideration:
(1) It's possible there are ways to "game" a pointer system to subvert its level of security. I hope to get a comment from Bruce Schneier on this risk. In any case this is a new thing, and its basic level of security has not been tested yet, I think.
(2) Some states are already implementing computer software for Real ID, in order not to fall behind. Each of them is either assuming there will be a pointer data base or not; some of them will have reworking to do, depending on whether a pointer DB is used. This is just one of many, many possible examnples to show the risk of working ahead with neither final specs nor an agreed upon, common design.