An Online ID Registry 278
Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"
Re:It's been done (Score:5, Informative)
Other people who do ID verification... (Score:4, Informative)
Thawte Web of Trust (Score:5, Informative)
http://www.thawte.com/email/index.html
already being built, it's called the liberty . . . (Score:2, Informative)
www.projectliberty.org
Re:What I'd have to know to use it: (Score:4, Informative)
Re:My random thoughts.... (Score:2, Informative)
I don't know how it's resolved in US, but in Poland, where I live, every man has a unique PESEL number, given at the date of birth. This number consists of birthdate (first 6 digits) and few other digits, containing (besides some pretty random data) info about sex and a checksum of all the previous data. Maybe you could use something like that? This way you could make it with just person's name, sex, birthdate and such number - voila! ?
Paypal (Score:5, Informative)
Instead, use Paypal or similar financial services who have an interest in verifying ID. Yes, many have problems with Paypal eating money, etc. Guess what: Most will probably have a bigger problem sending YOU their personal info & paypal already has a lot of personal info.
Just make users send you the send you the smallest amount possible as pseudo-micropayment. And/or send THEIR paypal account some small amount. That will probably be cheaper than doing verification yourself.
Re:Centralization (Score:3, Informative)
Why centralization may be necessary [onlineidregistry.com]
Data is encrypted, only you can read it [onlineidregistry.com]
-Neil
Re:Privacy policy? (Score:2, Informative)
-Neil
Re:how do i know (Score:4, Informative)
As for trust, why do you start trusting anybody? I have to start somewhere. I don't claim to be starting up this thing from my basement and expecting everybody to just send me their life data. This is a prototype, a first attempt to come up with something that I think would be useful to have as a secure place to store your personal information, and a secure way to pass same on to other people. Obviously if it went into production then there would have to be a "real" company or organization, which is precisely the questions I ask at the end of the White Paper. I'm not looking for people's trust at this point, just some feedback on the concept. I really wish more people would actually read the article before assuming that this thing is just another MS Passport.
-Neil
-Neil
more porn sources (Score:2, Informative)
Re:It's been done (Score:3, Informative)
That's what this person is trying to do. Limit free trial offers to one to a customer. Something tells me that's just not possible.
Re:already being built, it's called the liberty . (Score:5, Informative)
Re:Appeal to authority (Score:4, Informative)
I have 2 PCs and a laptop in my house at present, does that mean I need to register 3 times to use the stuff?
For Profit? (Score:2, Informative)
Hey There,
I would suggest you go with a proven business model.
Should be "non-profit".
Just make sure that you patent the idea.
Don't tell anyone about the pending patent.
Work as part of a standards group to gain wide acceptance.
Wait 3-5 years.
Now what's the phrase I'm looking for?
Damn the torpedoes?
Up periscope?
Surface that submarine
Cheers,
--The Dude
Just to be clear... (Score:5, Informative)
a) The Online ID Registry concept has nothing to do with MS Passport or Liberty Alliance. It is not a distributed login system, it is simply a way of confirming your identity. The website is not used in any sort of tracking or third-party login architecture.
b) All of your information is encrypted, using a password that only you know. Therefore even if the entire thing was stolen, it wouldn't be any use to anybody, at least unless they can break Blowfish on each and every record.
c) I haven't asked anybody to trust me personally at present, the whole idea of this article was to get feedback on the concepts and mechanisms, and to try to work out how this thing might be done in a "non-evil" manner. You have to start somewhere! We're just talking about how this might work. Please read the White Paper before diving in with comments about "Why should we trust Neil" etc.
Ok, here's another idea on the documentation front: Many people obviously have a problem with the concept of sending notarized copies of their ID docs through the mail. It's true, this does present many problems. How about if we had the Notary Public simply confirm that various pieces of (original) documentation (passport, bills etc) matched up with the information on the printed confirmation form, and the Notary Public then checks off what was provided, notarizes the form and seals & sends it off *themselves* (obviously you can't have the end-user doing that). Or, perhaps we could have the Notary Public authenticate the documentation request themselves online, without having to send anything to the Online ID Registry at all. The Notary Public has to be computer savvy enough to do this, and in fact they would have to be confirmed themselves in some way in order to have access to the admin functionality for confirming people. I guess we could use the snail mail for the Notaries Public, or perhaps there are other established ways of authenticating these people? Anybody know?
Point is, I am open to other ways of doing it, I think it would in fact be a huge plus if we didn't actually have to handle all that paperwork. Having the NP confirm "on the spot" with the originals would seem to skip a lot of hassle. Of course, the issue becomes establishing a secure enough mechanism so that the NP can notarize people without people being able to alter the form before it is sent in.
Still thinking - thanks for the feedback.
-Neil
Re:What I'd have to know to use it: (Score:3, Informative)
SSN? Great, Lots of fake ones out there. Besides the fact that many countries don't even HAVE social security numbers. Some have equivalent forms of ID, but many doesn't even have that.
Passports? Well, I bought a Sealand passport off of eBay.
Re:Appeal to authority (Score:2, Informative)
The channel you use to check that ID is not secure. I could program my computer to lie about its ID and you wouldn't be able to distinguish a real answer from a fake one.
We already have gpg, don't we? (Score:2, Informative)
gpg has been used for years and it works. I read in the article something about Instant Messages. Several Jabber clients, including PSI, can use gpg to "real-time" encrypt conversations.
Honestly, to me it sounds like reinventing the wheel. It is a very good idea, that's why it was done years ago.
It would be easy to make a php function that checks for a valid gpg key before accepting users, the same way a valid email address or toher means can be used. This, however, requires the audience to have gpg keys and demanding things from the audience tends to turn it away. This also applies to "Online ID Registry", a web service that requires me to sign up and configure some something I do not already use is a web service I'll skip.
Re:It's been done (Score:5, Informative)
. Whitepapers and guidelines are already available from them. Note that when the whole passport thing fizzled (have *you* seen anyone use it other than MSN and ebay?), the Liberty Alliance doesn't seem to have gotten much more steam either.
Companies listed as members of the Liberty Alliance include AOL, Sun, Novell, Oracle, HP, etc. (full list here [projectliberty.org])I would say that if anyone's going to pull it off, it would be these guys and not a random /. poster.
What we need is a registry of online merchants (Score:3, Informative)
What we need is a solid way to identify everyone who takes credit cards on the Internet, to help deal with spammers. It's a crime in many areas (California, for one) to run an anonymous business. California requires that the actual name and address of the business (not a P.O. box, unless you file some extra paperwork) be shown to the customer before the site accepts a credit card number. So it's not controversial to require this. It just needs a better implemention.
What we need is a banking regulation requirement that when a credit card merchant bank accepts a credit card transaction, there's a check at the bank's payment gateway of the web page from which the transaction came. The page must be SSL, of course. Its certificate information should be validated agains the ownership info for the merchant's bank account The credit card transaction (merchant to bank) should be signed with the same key that signs the web page. Otherwise, the bank is required to reject the transaction.
This requires zero consumer-side changes. It makes it much easier to figure out who to blame for spam. Just get to the payment page and read the certificate. Right now, most SSL certificates don't guarantee anything. This forces accurate info into the site's certificate, or the transaction bounces.
It would be a pain for companies that rely on "affilate networks" and other marginal indirect payment schemes. But that's probably a good thing.
Re:Interesting choice of words... (Score:1, Informative)
Of course, you could be someone else, but at least you have access to my mail and to my bank account if you can answer the queries.
All that said, I have to agree with those above -- I didn't give up my address and bank account numbers easily. There are very few sites for which I would give up much lesser personal information, as you can see my my post signature.
Re:Just to be clear... (Score:3, Informative)
Of course, this assumes you know you can trust the person on the other end of your communication to no be the person claiming to be the notary, or to be in conspiracy with the claimed notary, or that the notary's seal hasn't been forged.
In the end there is no way to absolutely "prove" the identity of a person. People can lie, records can be altered/forged, officials can be bought. It all comes down to a percentage/degree of certainty and trust.
Driver's license, passport, etc. only prove who the person claimed to be when they presented themselves to receive those documents, not who they actually are.
Re:Interesting choice of words... (Score:4, Informative)
Works like a charm, is rather fast (total processing time 3-5 working days), no data is stored by the verifying company, and I think it is rather cheap (5-10 Euros IIRC). Businesses that are forced to identify their customers by law, like online banks, are very glad to have something like it.
Re:Interesting choice of words... (Score:3, Informative)
Since when did this happen? I've had & used my PayPal account for a few years now and never ever had to go thru this procedure, let alone heard of it...
Re:Interesting choice of words... (Score:3, Informative)
Re:Certificates? (Score:1, Informative)