An Online ID Registry 278
Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"
Interesting choice of words... (Score:4, Funny)
Not anymore you don't. Problem solved!
Re:Interesting choice of words... (Score:5, Insightful)
Lets see, a central repository of peoples personal data, so someone can verify that we are trying a program for the first time ? Oh, yeah, I can see that flying.
Sarcasm aside, I just don't see it happening, too much potential for abuse. Imagine if this repository was hacked ?
Re:Interesting choice of words... (Score:3, Insightful)
From the article:
Even if hackers stole the entire database, they couldn't read it because all the data is encrypted using individual users' passwords.
So hacking is not a massive threat, just have to be careful with your own password.
Re:Interesting choice of words... (Score:2)
Re:Interesting choice of words... (Score:2, Insightful)
Your idea is hopeless. Identity can only be "verified" using something that's difficult or expensive to fake. Nobody is going to trust you with information that can be used for identity theft, so you can't rely on the government to do the enforcement for you. You can't afford enough private investigators to check up on every new account, and users wouldn't tolerate that anyway. Your on
Re:Interesting choice of words... (Score:5, Insightful)
The step that you're missing is not that xeroxes of these documents are hard to fake (they aren't) but that they are verifiable. If Mary Marsupial has a passport, the government can verify whether or not the information that she entered is correct. If there really is a Mary Marsupial with passport ID #15857287382748 VX123, with birthdate etc etc, they can verify that. Now, that doesn't necessarily mean that the person on the other end of that communication is actually Mary Marsupial, and the following step is to MAIL a confirmation code of some kind to the address of Mary Marsupial as listed by the passport. If you have that, you know that either A: this is really Mary Marsupial or B: Mary Marsupial is totally Owned.
Of course, all of this is hard work, and therefore would take paid registrations and a profit motive to achieve.
Re:Interesting choice of words... (Score:4, Informative)
Works like a charm, is rather fast (total processing time 3-5 working days), no data is stored by the verifying company, and I think it is rather cheap (5-10 Euros IIRC). Businesses that are forced to identify their customers by law, like online banks, are very glad to have something like it.
Re:Interesting choice of words... (Score:3, Informative)
Since when did this happen? I've had & used my PayPal account for a few years now and never ever had to go thru this procedure, let alone heard of it...
Re:Interesting choice of words... (Score:3, Informative)
Re:Interesting choice of words... (Score:4, Insightful)
Sure, some people have access to multiple addresses but this would largely address the problem.
My random thoughts.... (Score:4, Interesting)
Well, first and foremost: Get a fire extinguisher handy for the slashdotting you're about to receive. Hmmmm ... I have a
compute-intensive application I'm playing with ... I think I'll talk
about it on slashdot. What's that crashing sound I hear?
As to the premise: I actually think it is a moderately valuable idea, but you are going to find yourself heading into a strong wind of distrust. "Who is this guy that I want to give him information that has extemely high identity-theft value?" - Your first major obstacle is not technological at all, it is going to be image: How do you present your bona-fides. Can you afford a seven figure surety bond?
Finally, the ultimate question, when you decide how to make the business model work: Who wants the product? If you can get pr0n sites to accept your say-so as an adult-verification entity, then you will have people beating down your door to sign up with your service.
Re:My random thoughts.... (Score:2, Informative)
I don't know how it's resolved in US, but in Poland, where I live, every man has a unique PESEL number, given at the date of birth. This number consists of birthdate (first 6 digits) and few other digits, containing (besides some pretty random data) info about sex and a checksum of all the previous data. Maybe you could use something like that? This way you could make it with just person
Re:My random thoughts.... (Score:2)
Yeah, like Microsoft's Passport service. And they don't even ask for utility information!
Re:My random thoughts.... (Score:5, Insightful)
Another thought: How do you solve this problem?
Re:My random thoughts.... (Score:2, Funny)
How Dare You Solve My "Problem!" (Score:4, Funny)
Which is to say: GO, MAN, GO....!!!
It's been done (Score:5, Insightful)
I wonder how hard it would be for an independant website to use passport for id?
Anyway, making your system for-profit would be kind of pointless, since there are already much larger commercial offerings. I'm not aware of many non-commercial ones, though. oh well.
Re:It's been done (Score:5, Informative)
Re:It's been done (Score:5, Interesting)
more porn sources (Score:2, Informative)
Re:It's been done (Score:3, Informative)
That's what this person is trying to do. Limit free trial offers to one to a customer. Something tells me that's just not possible.
Re:It's been done (Score:2)
Yes, and I have several ID's on each service. Some even under my own name. That's the issue that is at question. Whether it needs to be resolved or not I leave as an excersize for the student.
Re:It's been done (Score:5, Informative)
. Whitepapers and guidelines are already available from them. Note that when the whole passport thing fizzled (have *you* seen anyone use it other than MSN and ebay?), the Liberty Alliance doesn't seem to have gotten much more steam either.
Companies listed as members of the Liberty Alliance include AOL, Sun, Novell, Oracle, HP, etc. (full list here [projectliberty.org])I would say that if anyone's going to pull it off, it would be these guys and not a random /. poster.
Re:It's been done (Score:3, Interesting)
for example I can open a passport with a fake address like "root@slashdot.org" assigining a password. Of course an email will be send to this address, but just a few seconds after registering, you can connect to MSNM for example with your email and password, and it will works.
Passport does NOT wait for the confirmation link being clicked in the email, and as long as nobody deny it, you can login.
Appeal to authority (Score:5, Insightful)
Re:Appeal to authority (Score:4, Interesting)
Think about it.. that leads to claim of identity theif immedatily.
Better question why offer 30 day demo software, or crippleware in the first place?
Why not offer lower cost software, so it can be tossed if the customer does not like it.
Or required the software to phone home every few days while in demo period. This why you can use embedded id of software / IP of coonection to determine if linesse is valid... but that will label you with SPYWARE instead.
Re:Appeal to authority (Score:2)
You could also go off the processor ID that Intel implemented back in the P2 or P3 days. Not as decisive, but Slashdot trolls won't buy new processors to have multiple accounts.
Re:Appeal to authority (Score:4, Informative)
I have 2 PCs and a laptop in my house at present, does that mean I need to register 3 times to use the stuff?
Re:Appeal to authority (Score:2, Informative)
The channel you use to check that ID is not secure. I could program my computer to lie about its ID and you wouldn't be able to distinguish a real answer from a fake one.
Who said anything about "Truly verify identity"? (Score:3, Insightful)
The problem he's trying to solve is people avoiding paying for a service that offers free trials simply by creating multiple user IDs when the free trial is over. To prevent this, he doesn't need a foolproof system...
He just needs a system where it is EASIER TO PAY FOR THE SERVICE than it is to get another ID, for
Re:Who said anything about "Truly verify identity" (Score:3, Insightful)
- each build / install of the application should stop working after a while for evaluation purposes forcing the user to download a new copy
- email a demo key to the user, only one allowed per email address
Of course you're software could still be cracked allowing anyone to use the evaluation version / key as if it was registered.
There will always be a small percentage that find a way around whatever you try to do. So don't make it too hard for legitimate users, or you shoot
Use multiple sources of trusted authorities (Score:5, Interesting)
Points can be earned by:
Depositing 2 random amounts of money into the person's checking account (like PayPal)
Verifying their address with the address on their credit card
Matching their phone number to their address through a phonebook (anywho.com/rl.html)
Have an automated call placed to the phone number listed and ask the person to input his/her date of birth as digits
Have X other registered users verify that the person signing up is real
Have the person fax in a notarized document of identity
Send a letter/postcard in the mail with a code for the person to use to verify his/her address
Have the person call a toll-free number and input their birth date and using caller id to verify the source of the phone call
There are probably more ways, but like others said, if you're serious about this, you may want to look into starting a non-profit or LLC.
What I'd have to know to use it: (Score:5, Interesting)
Second, can site A find out that I also use site B?
Third, is there any more information stored than my credentials? (for example credit card #s, SSN etc.) Not only that, but will sites use this as a key for tracking additional information? (perhaps you should consider returning an "identified" or "not identified" response, with no additional information.) (Sites that keep my CC# without giving me a way to delete them piss me off. This means you, Amazon, you and your collection of every expired CC I've ever used there.)
I think thats a pretty good start. That pretty much covers my privacy concerns as well as exploit/misuse concerns.
Re:What I'd have to know to use it: (Score:4, Informative)
Re:What I'd have to know to use it: (Score:3, Informative)
SSN? Great, Lots of fake ones out there. Besides the fact that many countries don't even HAVE social security numbers. Some have equivalent forms of ID, but many doesn't even have that.
Passports? Well, I bought a Sealand passport off of eBay.
Centralization (Score:5, Insightful)
The internet was designed so any number of nodes could go offline and all the other nodes could still talk to each other. This has largely been kept true, even in the application layer, where your stuff would be taking place. I think that requiring a central database for people to use to register for websites would be unwise.
Also, you have any number of privacy concerns here. Do you really want a database of everything that everyone registers for? Do you want it to be possible for your boss to find out that you subscribe to an atheist news letter of he's a hardcore christian?
Re:Centralization (Score:2)
While the OP clearly has "a" site now with his test code, there is absolutely no reason the system could not be expanded to dozens or hundreds of autonomous entities each offering verification of identity.
Re:Centralization (Score:3, Informative)
Why centralization may be necessary [onlineidregistry.com]
Data is encrypted, only you can read it [onlineidregistry.com]
-Neil
Re:Centralization (Score:2, Funny)
I'm trying to imagine what an athiest newsletter might have to say every month...
"Supreme Being: Still Made Up" or something like that?
Re:Centralization (Score:2)
This, unfortunately, is SO not true any longer. I can tell you the names of 13 machines to take out, after which most of the 'net won't function. Care to guess what they are?
As soon as commercial interests hit the 'net, it's ability to survive substantial damage and continue functioning began to disappear.
Looking at the whitepaper (Score:2)
Yeah, that infrastruction. A real bitch.
Seriously, though. You seem to be thinking of people mailing notarized passport photocopies!? Yeah right. The vast majority of FRR sites only want to know their advertising demographics and do some geotargeting (also with ads). They don't need to know yo
how do i know (Score:5, Funny)
Re:how do i know (Score:4, Informative)
As for trust, why do you start trusting anybody? I have to start somewhere. I don't claim to be starting up this thing from my basement and expecting everybody to just send me their life data. This is a prototype, a first attempt to come up with something that I think would be useful to have as a secure place to store your personal information, and a secure way to pass same on to other people. Obviously if it went into production then there would have to be a "real" company or organization, which is precisely the questions I ask at the end of the White Paper. I'm not looking for people's trust at this point, just some feedback on the concept. I really wish more people would actually read the article before assuming that this thing is just another MS Passport.
-Neil
-Neil
Re:how do i know (Score:4, Funny)
Oops
always a way to subvert it. (Score:5, Insightful)
Hell meet the right people and you can get multiple Social Security number, drivers licenses, and passports.
ALL identification systems can be subverted and online ones that do not require a large amount of 3rd party and usually highly reliable data backing up your claims to be you is really easy to subvert.
I tried to find a solution like this over 7 years ago for the company I work for. it is impossible to make a foolproof system and I proved it to the board of directors that trying to do this will only piss off the customers and give us nothing but a false sense of security that really does not exist.
Re:always a way to subvert it. (Score:2)
Are you going to do that just to reuse software once the trial period is up?
Re:always a way to subvert it. (Score:2)
Other people who do ID verification... (Score:4, Informative)
Beware of Big Brother... (Score:4, Insightful)
Peace
Re:Beware of Big Brother... (Score:3, Interesting)
Nobody is forcing you to look at the information.
But if you need the information, you have to play by the rules of the provider.
Re:Beware of Big Brother... (Score:5, Insightful)
Here is a slashdot anomaly: the parent post would have more credibility had it been posted as anonymous coward.
-jim
Thawte Web of Trust (Score:5, Informative)
http://www.thawte.com/email/index.html
online registration (Score:5, Funny)
Privacy policy? (Score:5, Insightful)
Privacy - users will be entering very sensitive, personal data which they do not want passed on to anyone without their permission. People want to maintain full control over their own information, and not be used as pawns in marketing games
Until privacy is addressed with a lock tight policy, like, "We'll never give out your info." I will never become a client.
Re:Privacy policy? (Score:2, Informative)
-Neil
A matter of trust (Score:5, Insightful)
This is not meant as an insult -- it cuts to the heart of the matter. A user is thus relying on you for secure storage of all of his or her personal information, and also relying on you that none of the information will ever leak. This is both leaks to the outside world in general via website spoofs, phishing, and the like, as well as internal leaks where an individual's information is inadvertently revealed beyond what he or she intended (e.g. I only meant to give out my address, not my credit card number).
You would do well to read up on the design documents and white papers from the Liberty Alliance [projectliberty.org]. This is a hard problem to solve and simply using a centralized data store does not address any of the real privacy and security issues inherent in the field of identity verification and personal information management.
--Paul
already being built, it's called the liberty . . . (Score:2, Informative)
www.projectliberty.org
Re:already being built, it's called the liberty . (Score:5, Informative)
And how the hell... (Score:4, Insightful)
Given That... (Score:2, Insightful)
Paypal (Score:5, Informative)
Instead, use Paypal or similar financial services who have an interest in verifying ID. Yes, many have problems with Paypal eating money, etc. Guess what: Most will probably have a bigger problem sending YOU their personal info & paypal already has a lot of personal info.
Just make users send you the send you the smallest amount possible as pseudo-micropayment. And/or send THEIR paypal account some small amount. That will probably be cheaper than doing verification yourself.
Re:Paypal (Score:2)
Maybe this is where to start -- not necessarily with PayPal, but the idea of distributed "identifying entities." Rather than spending your time on a site for registration, design an infrastructure that allows entities who do know with some certainty who I am ( say, the Instituto Nacional de Migracion, who handle my residence visa, or my banker who handles my money ) to allow me to issue these same identifying tickets to other parties.
Be like BASF "We don't make the identity database. We make the iden
Testy (Score:2)
That's what /. is here for. I suggest you count in minutes, not hours.
I hate ti drive the nails in the coffin, but... (Score:2, Interesting)
Trust, and the 'trustworthy computing' (Score:4, Interesting)
First of all, if you're really worried about people abusing a trial service, maybe you could track things via IP, or, even subnet masks. If your application is specific enough (or just geared to one industry in general), try doing the "Thanks for requesting information, we're going to *MAIL* you your login information the next business day."
Second...how do I as J6P know that you're going to handle my data correctly? No matter how many times you tell me on your website that you're handling my data in a secure fashion, I can't actually see it. Am I suppossed to just trust that you'll keep my information away from everyone? Including yourself, your marketing droids, and maybe the FBI should they come knocking on your door?
If you or company are worried about people abusing a trial service...well, get over it. It's bound to happen, no matter how you try to stop it. Just use common sense (don't allow signups from Open Proxies, maybe ask for a credit card number if you're looking for a paid service in the future), and realize that you're going to have online 'shrink.' Every company has shrinkage...why should an online company be any different?
I can only see where this is going in the "trustworthy computing" area. In order to get a computer, you're going to have to show your computer maker an ID, they'll seal your computer so you can't install devices (they'll send a technician out to do it), and tell you what you can and can't do with your data, your time, and ultimately, your hardware.
Ian
Why? (Score:4, Insightful)
What problem does it solve?
I already do online banking, shopping, bill paying, etc.. What additional service could I get from registering with you?
Re:Why? (Score:2)
What problem does it solve?
Email.
No more spam.
If you can verify that each message comes from a specific person, you can filter out the known spammers and get on with your life.
If you're creative, you can come up with more problems for this solution fairly easily.
Re:Why? (Score:3, Funny)
As for number 2, make it part of a ruleset (like SpamAssassin), and it can be adopted gradually. For fun, here's the whole form:
(in short, all potential implementation problems that are difficult in and of themselves. The worst being identity theft via worm or virus. But, if he got a perfect solution to his problem, it could solve spam problems right quick.)
----
Your post advocates a
(x) technical
Problems (Score:2)
The main problems are that this just shifts the point of failure (or deception or fraud) to third parties. Instead of you yourself lying about your identity to someone over an insecure communications system, now you're dependent on whatever procedure people identify themselves with to this registry. Ultimately someone at the registry has to examine the documents submitted by someone and decide whether or not it's legitimate (and thereby mark the user as verified). How can he managed to never be deceived?
In Finland banks do this (Score:2, Interesting)
Re:In Finland banks do this (Score:2, Funny)
go for it (Score:2)
For Profit? (Score:2, Informative)
Hey There,
I would suggest you go with a proven business model.
Should be "non-profit".
Just make sure that you patent the idea.
Don't tell anyone about the pending patent.
Work as part of a standards group to gain wide acceptance.
Wait 3-5 years.
Now what's the phrase I'm looking for?
Damn the torpedoes?
Up periscope?
Surface that submarine
Cheers,
--The Dude
Stupid question... but.... (Score:2)
and why on gods green earth would i spend the time to SEND you NOTARIZED ($$) copies of my UBER-private documents (step #3 on his page)...
For....
a "free trial" or "free registration"?
through a third-party.
no way... im too lazy to give my lawyer those documents in an orderly fashion... much less for a free trial to mens life online magazine.
Economics matters more than CS here (Score:2)
I suggest a simpler way... (Score:3, Interesting)
Have a central registry with only an ID and a phone number. To activate your ID, the system calls you and tells you a number which you subsequently type in a web form. The "ID" is then considered "validated".
Your initial web app can now call the DB and ask if the ID is validated. If it is, everything's fine.
Advantages: Less privacy intruision (people only have to trust that the central registry won't tell the phone numbers anybody). Simple to set up for both the central registry and any service. Quite efficient (most people don't have access to more than a few phone numbers).
Case solved.
If you implement it, don't forget us poor buggers from Europe who would like to use the app too!
Re:I suggest a simpler way... (Score:2)
-Neil
Re:I suggest a simpler way... (Score:2)
Using the exploit against the exploiters (Score:3, Interesting)
If you keep track of IP addresses and do a little research at netcraft - you can really expose someone for being a fraud.
On my website, I have followed such a person [adzoox.com], and exposed that he was registering as different aliases and agreeing with his own posts pretending to be other people. In some cases, just so he would look like he wasn't the same person he would criticise his previous comments.
Just to be clear... (Score:5, Informative)
a) The Online ID Registry concept has nothing to do with MS Passport or Liberty Alliance. It is not a distributed login system, it is simply a way of confirming your identity. The website is not used in any sort of tracking or third-party login architecture.
b) All of your information is encrypted, using a password that only you know. Therefore even if the entire thing was stolen, it wouldn't be any use to anybody, at least unless they can break Blowfish on each and every record.
c) I haven't asked anybody to trust me personally at present, the whole idea of this article was to get feedback on the concepts and mechanisms, and to try to work out how this thing might be done in a "non-evil" manner. You have to start somewhere! We're just talking about how this might work. Please read the White Paper before diving in with comments about "Why should we trust Neil" etc.
Ok, here's another idea on the documentation front: Many people obviously have a problem with the concept of sending notarized copies of their ID docs through the mail. It's true, this does present many problems. How about if we had the Notary Public simply confirm that various pieces of (original) documentation (passport, bills etc) matched up with the information on the printed confirmation form, and the Notary Public then checks off what was provided, notarizes the form and seals & sends it off *themselves* (obviously you can't have the end-user doing that). Or, perhaps we could have the Notary Public authenticate the documentation request themselves online, without having to send anything to the Online ID Registry at all. The Notary Public has to be computer savvy enough to do this, and in fact they would have to be confirmed themselves in some way in order to have access to the admin functionality for confirming people. I guess we could use the snail mail for the Notaries Public, or perhaps there are other established ways of authenticating these people? Anybody know?
Point is, I am open to other ways of doing it, I think it would in fact be a huge plus if we didn't actually have to handle all that paperwork. Having the NP confirm "on the spot" with the originals would seem to skip a lot of hassle. Of course, the issue becomes establishing a secure enough mechanism so that the NP can notarize people without people being able to alter the form before it is sent in.
Still thinking - thanks for the feedback.
-Neil
Re:Just to be clear... (Score:2, Interesting)
Let's reply to this...
a) Prove this. You probably can't, you'll have to develop a track record of behavior ... good luck on a) and b)
b) Is it encrypted on my computer before getting to your database? Or am I supposed to assume that you'll be honest and you'll 1) actually encrypt the data and 2) won't keep the password?
c) OK, so you're asking the slashdot crowd to help you play and test
(Everytime you attempt to quickly placate the fears of your potential audience, you risk weakening the system. I'd r
Re:Just to be clear... (Score:2)
Re:Just to be clear... (Score:3, Informative)
Of course, this assumes you know you can trust the person on the other end of your communication to no be the person claiming to be the notary, or to be in conspiracy with the claimed notary, or that the notary's seal hasn't been forged.
In the end there i
Re:Just to be clear... (Score:3, Insightful)
As a computer programmer for over 24 years and a Notary Public for over 24 months, I'd like to point out something else. In the Commonwealth of Virginia, notaries cannot authenticate copies of some government issued documents. I cannot authenticate a birth certificate, for example; the instructio
Re:Just to be clear... (Score:3, Interesting)
Centralized IS bad, and meatspace identity's... (Score:2)
That's why some think the best you can do is track the behavior of an online identity in some manner that minimizes the impact of throwaway identities.
In fact, that's the basis of a distributed, P2P anti-spam project we've recently started, called GOSSiP. There's a white paper and mailing list [sufficient...vanced.net] availa
Sounds like the cure is worse than the disease (Score:5, Insightful)
So, people don't want to give out their credit card numbers for free trial... But they will want to give you their DOB/Address/Passport/etc? Sure, the individual site wouldn't be the one causing the immediate nuisance, but you still have the problem of getting people on the system to begin with. If they were loathe to provide you with a credit card number, what would make them more willing completely hand over their identities?
Also, you're being incredibly disingenuous with statements like this (in the Quick Tour section):
But, the registration is non-SSL and requests name/DOB/address. I see that buried in the "Terms and Conditions" and "Implementation" section, but, saying "nobody but you can ever see it" anywhere on the site when you're not even using SSL in transit shouts loud and clear that you aren't the one to trust with any sensitive data.
You should have a big highly-visible warning on the registration page about being a prototype and that there is no SSL, and that having no SSL means all information is sent insecurely to you. Not statements that "no one but you can ever see this information" in big print, and "Oh, I was lying about that" in small print.
Stating "no one but you should ever see it" regarding the database being encrypted is also a big false sense of security. Since the password is being given to your server, it can be intercepted on the server. If someone has access to steal the database, they've most likely got access to harvest some passwords first, too. Of course, since you're doing everything in cleartext in-transit right now, it could be intercepted over the network, too.
Re:Sounds like the cure is worse than the disease (Score:3, Insightful)
That out of the way... What appears to be the lynchpin of your model is false:
And remember the advice (Score:2)
Certificates? (Score:5, Interesting)
As everyone has this trusted party's public key (ie Verisign), they can verify the information.
All the same benifits, without the need of some central database. If you dont trust verisign, or don't like their business practices, then just become a CA yourself and work in exactly the same way. It is much more flexible than a central online database.
Re:Certificates? (Score:3, Interesting)
Of course, the problem here is the only 'unique' thing in the certificate is the name, which their can be many duplicates.
The solution of course is still to be a CA, but issue certificates with a property which gaurantee uniqueness to
My advice (Score:3, Interesting)
The second is to write a business proposal to online companies to sell them on your idea and why it is better than MS Passport, KeyType, MyUID, and others.
So what is to prevent someone from creating a fake Yahoo or Hotmail mail account, and then using it to create a mail account somewhere else that requires email verification. Then use the other email which passes the free web email checks that other sites use? Once they got an account in your database, they can enter fictatious info, and repeat this many ways. If you filter by IP or subnet, what prevents them from using a web proxy?
People won't want to enter their SSN, and what about someone not from the USA, what do they enter? What about people who can generate fake SSNs, or fake passport numbers, or fake driver's licenses? How do you check for all that?
If you require them to enter a valid credit card number, what about those who do not have a credit card? Can they enter a checking account number? What if someone does not trust you with this information or they use fake or stolen accounts? Someone with a program that uses the same formula to check credit card numbers can reverse it to create a fake number that passes your check. What then?
The best way to deal with this problem is to change the software on the end of the service that is providing the content. Maybe trial users can only read so many pages, or get a ton of more advertising and pop-ups than if they had subscribed? Or maybe requiring the trial member to wait 3 minutes before a page loads, and show them a page of benefits should they pay to register? The trial registration, maybe, has a large survey that they must complete, so that creating a new account is going to be more trouble than it is worth. Also limited trial memberships will be issued to subnets per month. If a subnet has over a certain number, they must wait until the next month to register a trial. There needs to be a way to limit trial memberships to prevent abuse.
What we need is a registry of online merchants (Score:3, Informative)
What we need is a solid way to identify everyone who takes credit cards on the Internet, to help deal with spammers. It's a crime in many areas (California, for one) to run an anonymous business. California requires that the actual name and address of the business (not a P.O. box, unless you file some extra paperwork) be shown to the customer before the site accepts a credit card number. So it's not controversial to require this. It just needs a better implemention.
What we need is a banking regulation requirement that when a credit card merchant bank accepts a credit card transaction, there's a check at the bank's payment gateway of the web page from which the transaction came. The page must be SSL, of course. Its certificate information should be validated agains the ownership info for the merchant's bank account The credit card transaction (merchant to bank) should be signed with the same key that signs the web page. Otherwise, the bank is required to reject the transaction.
This requires zero consumer-side changes. It makes it much easier to figure out who to blame for spam. Just get to the payment page and read the certificate. Right now, most SSL certificates don't guarantee anything. This forces accurate info into the site's certificate, or the transaction bounces.
It would be a pain for companies that rely on "affilate networks" and other marginal indirect payment schemes. But that's probably a good thing.
Destroy that documentation (Score:3, Insightful)
> the documentation that has been sent in. I think
> that for security and audit purposes, we do need
> to keep it in some form.
On the contrary. Yot need to *destroy* those documents for security and audit purposes.
passport, birth certificate, drivers license, util (Score:3, Insightful)
The problem is simple (Score:3, Insightful)
This might surprise a lot of people, but the majority of credit card fraud is not carried out by shoulder surfers, packet sniffers, l33t hackers, or any other third parties. It's done by the merchants themselves, or by their employees. Yep: the people most likely to misuse your CC info are the people you voluntarily give it to.
You're planning to ask people to give you information that can positively identify them in a non-face-to-face environment. Which means that you, your eventual employees, the investigators you hire to verify that the documents people send you are real, etc., will all potentially have access to that information. You first have to work out a bulletproof means to protect that information, even from yourself, and then you have to convince prospective users (remember, these are the people who are afraid to send their CC info over the Net) that you've protected it adequately. You can convince yourself . . . you might possibly be able to convince me . . . but it'll be a cold day in hell before you convince my mother-in-law.
There are a lot more mothers-in-law who have heard scary news stories about identity theft than there are Slashdotters.
Re:I don't like it (Score:2)
a) It's not Passport, it's not a distributed login system at all
b) The "confirmed data" aspect is covered in some detail
-Neil
Re:I don't like it (Score:2, Interesting)
Re:I don't like it (Score:2)
Thing is, the server's doing just fine, the document loads up immediately, so it doesn't seem to be an issue here. It's real easy to get to the actual website and the White Paper itself. I was just trying to explain in advance, since I really wasn't sure what would happen. Surprisingly, the server is still very responsive, which is great!
-Neil
Re:GPG (Score:2)
I'm not convinced that there's "someone politically neutral" who wants to run this kind of thing as a charity, and a for-profit entity could be just as bad.
Isn't that what GPG is for?
Here I agree with you more. The only non-authoritatian way to establish an online identity is some kind of web of trust.
Funny coincidence: I first saw this article this afternoon, and thought, "Useless idea, who needs that?" Then I checked the lo