Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Privacy Security Your Rights Online

An Online ID Registry 278

Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"
This discussion has been archived. No new comments can be posted.

An Online ID Registry

Comments Filter:
  • by miketang16 ( 585602 ) * on Sunday July 11, 2004 @06:45PM (#9669727) Journal
    "I am sort of stuck with a working website but nowhere to go with it."

    Not anymore you don't. Problem solved!
    • "I am sort of stuck with a working website but nowhere to go with it."

      Lets see, a central repository of peoples personal data, so someone can verify that we are trying a program for the first time ? Oh, yeah, I can see that flying.
      Sarcasm aside, I just don't see it happening, too much potential for abuse. Imagine if this repository was hacked ?

      • Imagine if this repository was hacked ?

        From the article:
        Even if hackers stole the entire database, they couldn't read it because all the data is encrypted using individual users' passwords.

        So hacking is not a massive threat, just have to be careful with your own password.
    • EDIT: Not anymore you aren't. (typed too quickly i suppose)
    • by Anonymous Coward
      I'm replying to the first post so people will see my comment before all the others, suckers! eat me, i taste good, bitches.

      Your idea is hopeless. Identity can only be "verified" using something that's difficult or expensive to fake. Nobody is going to trust you with information that can be used for identity theft, so you can't rely on the government to do the enforcement for you. You can't afford enough private investigators to check up on every new account, and users wouldn't tolerate that anyway. Your on
      • by cgenman ( 325138 ) on Sunday July 11, 2004 @07:42PM (#9670138) Homepage
        I don't see how notarized copies of documents are easy or cheap to fake. Valid Drivers licenses are easier, but you can always verify the info with the state. Passports work great too.

        The step that you're missing is not that xeroxes of these documents are hard to fake (they aren't) but that they are verifiable. If Mary Marsupial has a passport, the government can verify whether or not the information that she entered is correct. If there really is a Mary Marsupial with passport ID #15857287382748 VX123, with birthdate etc etc, they can verify that. Now, that doesn't necessarily mean that the person on the other end of that communication is actually Mary Marsupial, and the following step is to MAIL a confirmation code of some kind to the address of Mary Marsupial as listed by the passport. If you have that, you know that either A: this is really Mary Marsupial or B: Mary Marsupial is totally Owned.

        Of course, all of this is hard work, and therefore would take paid registrations and a profit motive to achieve.

        • by mikrorechner ( 621077 ) on Monday July 12, 2004 @02:47AM (#9672343)
          You know, here in Germany, we have a rather good system for that purpose. If some online business wants to verify your identity, they can use PostIdent from Deutsche Post (known as DHL in the rest of the world, I think). That means you register with your data at the company's website, then, a few days later, your friendly postman rings and asks for your ID or passport, checks it against the data he got from the online company, then sends them a form stating that you are really you.
          Works like a charm, is rather fast (total processing time 3-5 working days), no data is stored by the verifying company, and I think it is rather cheap (5-10 Euros IIRC). Businesses that are forced to identify their customers by law, like online banks, are very glad to have something like it.
    • by potat0man ( 724766 ) on Sunday July 11, 2004 @08:18PM (#9670358)
      If the problem is preventing multiple sign-ups from one person then can't you simply snail mail them a PIN they need to use to verify the account?

      Sure, some people have access to multiple addresses but this would largely address the problem.

  • by YankeeInExile ( 577704 ) * on Sunday July 11, 2004 @06:47PM (#9669746) Homepage Journal

    Well, first and foremost: Get a fire extinguisher handy for the slashdotting you're about to receive. Hmmmm ... I have a compute-intensive application I'm playing with ... I think I'll talk about it on slashdot. What's that crashing sound I hear?

    As to the premise: I actually think it is a moderately valuable idea, but you are going to find yourself heading into a strong wind of distrust. "Who is this guy that I want to give him information that has extemely high identity-theft value?" - Your first major obstacle is not technological at all, it is going to be image: How do you present your bona-fides. Can you afford a seven figure surety bond?

    Finally, the ultimate question, when you decide how to make the business model work: Who wants the product? If you can get pr0n sites to accept your say-so as an adult-verification entity, then you will have people beating down your door to sign up with your service.

    • "high identity-theft value" - That's some point here. You're asking people for literary every piece of personal ID info.

      I don't know how it's resolved in US, but in Poland, where I live, every man has a unique PESEL number, given at the date of birth. This number consists of birthdate (first 6 digits) and few other digits, containing (besides some pretty random data) info about sex and a checksum of all the previous data. Maybe you could use something like that? This way you could make it with just person
    • "As to the premise: I actually think it is a moderately valuable idea, but you are going to find yourself heading into a strong wind of distrust."

      Yeah, like Microsoft's Passport service. And they don't even ask for utility information!
    • by YankeeInExile ( 577704 ) * on Sunday July 11, 2004 @07:06PM (#9669883) Homepage Journal

      Another thought: How do you solve this problem?

      Hey, man, I'll give you $5,000,000 to verify that I am William Gates of Redmond, WA.
    • by RobotRunAmok ( 595286 ) * on Sunday July 11, 2004 @07:37PM (#9670106)
      Seems to me that the needs of the website owners are at variance with those of the website -- or more accurately -- online community -- users. Look, if I'm selling ads on /., I'm touting every impression as unique, by a major IT Industry Knowledge Worker/Decision Maker. You want to provide substantiation that it's really one 14-year-old with 35 different aliases and a singularly large amount of free time on his hands? R U Crazy?! Jeez, if this catches on, it's the end of the Web/Blog Ad Sales model as we know it...

      Which is to say: GO, MAN, GO....!!!
  • It's been done (Score:5, Insightful)

    by autopr0n ( 534291 ) on Sunday July 11, 2004 @06:47PM (#9669750) Homepage Journal
    see microsoft passport. I'm sure there are tons of online user ids, the biggest being passport and yahoo.

    I wonder how hard it would be for an independant website to use passport for id?

    Anyway, making your system for-profit would be kind of pointless, since there are already much larger commercial offerings. I'm not aware of many non-commercial ones, though. oh well.
    • Re:It's been done (Score:5, Informative)

      by nkh ( 750837 ) <exochicken&gmail,com> on Sunday July 11, 2004 @06:55PM (#9669807) Journal
      Microsoft Passport and its OSS port: MyUID [] (as seen on /. here [])
    • Re:It's been done (Score:5, Interesting)

      by Anml4ixoye ( 264762 ) on Sunday July 11, 2004 @07:08PM (#9669893) Homepage
      Thawte does this as well - they have a network of people who can verify your identity throughout the country, and if you can be positively identify enough, you can become an identifier. Seems to work pretty well (See their Freemail section).
    • hey auto, check out []. autopr0n rocks!
    • Re:It's been done (Score:3, Informative)

      by LostCluster ( 625375 ) *
      But that doesn't solve the problem because there's nothing preventing the same real person from having two or more MS Passports or AOL ScreenNames.

      That's what this person is trying to do. Limit free trial offers to one to a customer. Something tells me that's just not possible.
    • I'm sure there are tons of online user ids, the biggest being passport and yahoo.

      Yes, and I have several ID's on each service. Some even under my own name. That's the issue that is at question. Whether it needs to be resolved or not I leave as an excersize for the student.

    • Re:It's been done (Score:5, Informative)

      by GarfBond ( 565331 ) on Sunday July 11, 2004 @09:29PM (#9670734)
      And a bunch of microsoft-hatin' companies are already attempting to do it in a semi-open way: Liberty Alliance Project []

      . Whitepapers and guidelines are already available from them. Note that when the whole passport thing fizzled (have *you* seen anyone use it other than MSN and ebay?), the Liberty Alliance doesn't seem to have gotten much more steam either.

      Companies listed as members of the Liberty Alliance include AOL, Sun, Novell, Oracle, HP, etc. (full list here [])I would say that if anyone's going to pull it off, it would be these guys and not a random /. poster.

    • Re:It's been done (Score:3, Interesting)

      by Frederic54 ( 3788 )
      there's a problem with MS passport...

      for example I can open a passport with a fake address like "" assigining a password. Of course an email will be send to this address, but just a few seconds after registering, you can connect to MSNM for example with your email and password, and it will works.
      Passport does NOT wait for the confirmation link being clicked in the email, and as long as nobody deny it, you can login.
  • by Ars-Fartsica ( 166957 ) on Sunday July 11, 2004 @06:47PM (#9669751)
    The only way to truly verify identity online or offline is to appeal to a trusted authority...which currently people use driver's licenses or SSNs for. If you cannot establish a trusted authority that discrminates people you have never met before, your system is just another exploitable database.
    • by jackb_guppy ( 204733 ) on Sunday July 11, 2004 @07:11PM (#9669924)
      If you ask for DL or SS, there goes your business.

      Think about it.. that leads to claim of identity theif immedatily.

      Better question why offer 30 day demo software, or crippleware in the first place?

      Why not offer lower cost software, so it can be tossed if the customer does not like it.

      Or required the software to phone home every few days while in demo period. This why you can use embedded id of software / IP of coonection to determine if linesse is valid... but that will label you with SPYWARE instead.
    • "The only way to truly verify identity online or offline is to appeal to a trusted authority..."

      You could also go off the processor ID that Intel implemented back in the P2 or P3 days. Not as decisive, but Slashdot trolls won't buy new processors to have multiple accounts. ;)
      • by Gonoff ( 88518 ) on Sunday July 11, 2004 @07:44PM (#9670148)
        The processor ID is set to off in all BIOS I have seen and people are not going to turn it on. A lot of people are not even going to know how. Those of us who do know how won't.

        I have 2 PCs and a laptop in my house at present, does that mean I need to register 3 times to use the stuff?

      • The processor ID will not be useful in this case.
        The channel you use to check that ID is not secure. I could program my computer to lie about its ID and you wouldn't be able to distinguish a real answer from a fake one.
    • IT seems some people here are overstating the problem - "You'll never be able to have a foolproof system for verifying peple's identity!" So what? That isn't the problem he's trying to solve.

      The problem he's trying to solve is people avoiding paying for a service that offers free trials simply by creating multiple user IDs when the free trial is over. To prevent this, he doesn't need a foolproof system...

      He just needs a system where it is EASIER TO PAY FOR THE SERVICE than it is to get another ID, for
      • So, if we're talking software;
        - each build / install of the application should stop working after a while for evaluation purposes forcing the user to download a new copy
        - email a demo key to the user, only one allowed per email address
        Of course you're software could still be cracked allowing anyone to use the evaluation version / key as if it was registered.

        There will always be a small percentage that find a way around whatever you try to do. So don't make it too hard for legitimate users, or you shoot

    • by Adam9 ( 93947 ) on Sunday July 11, 2004 @08:40PM (#9670505) Journal
      I would setup a scoring system so that the user must have X points to successfully register their account.

      Points can be earned by:

      Depositing 2 random amounts of money into the person's checking account (like PayPal)

      Verifying their address with the address on their credit card

      Matching their phone number to their address through a phonebook (

      Have an automated call placed to the phone number listed and ask the person to input his/her date of birth as digits

      Have X other registered users verify that the person signing up is real

      Have the person fax in a notarized document of identity

      Send a letter/postcard in the mail with a code for the person to use to verify his/her address

      Have the person call a toll-free number and input their birth date and using caller id to verify the source of the phone call

      There are probably more ways, but like others said, if you're serious about this, you may want to look into starting a non-profit or LLC.

  • by Qzukk ( 229616 ) on Sunday July 11, 2004 @06:51PM (#9669775) Journal
    First, does it keep track of where I've used it? If so, then I want this used in my favor by allowing me access to this log to ensure that my identification has not been compromised.

    Second, can site A find out that I also use site B?

    Third, is there any more information stored than my credentials? (for example credit card #s, SSN etc.) Not only that, but will sites use this as a key for tracking additional information? (perhaps you should consider returning an "identified" or "not identified" response, with no additional information.) (Sites that keep my CC# without giving me a way to delete them piss me off. This means you, Amazon, you and your collection of every expired CC I've ever used there.)

    I think thats a pretty good start. That pretty much covers my privacy concerns as well as exploit/misuse concerns.
    • by ngunton ( 460215 ) on Sunday July 11, 2004 @07:02PM (#9669856) Homepage
      The answer is No, there is no tracking. All it does is store encrypted data that only you can read, and you can pass tickets to other users which are also encrypted (and can only be read by that user). So this is really not a distributed login system, or a tracking system, it's just a way of confirming that someone is who they say they are. See the White paper for details.
    • Credit card number? Forget it, most (smart) people would never give out their credit card number just to "authenticate" themselves. (On the other hand, enough idiots do this already, so maybe I'm wrong). Also, not everyone has a credit card.

      SSN? Great, Lots of fake ones out there. Besides the fact that many countries don't even HAVE social security numbers. Some have equivalent forms of ID, but many doesn't even have that.

      Passports? Well, I bought a Sealand passport off of eBay. ;)
  • Centralization (Score:5, Insightful)

    by prichardson ( 603676 ) on Sunday July 11, 2004 @06:52PM (#9669784) Journal
    Doesn't the idea of a central registry defeat the purpose of the internet anyway?

    The internet was designed so any number of nodes could go offline and all the other nodes could still talk to each other. This has largely been kept true, even in the application layer, where your stuff would be taking place. I think that requiring a central database for people to use to register for websites would be unwise.

    Also, you have any number of privacy concerns here. Do you really want a database of everything that everyone registers for? Do you want it to be possible for your boss to find out that you subscribe to an atheist news letter of he's a hardcore christian?
    • While the OP clearly has "a" site now with his test code, there is absolutely no reason the system could not be expanded to dozens or hundreds of autonomous entities each offering verification of identity.

    • Re:Centralization (Score:3, Informative)

      by ngunton ( 460215 )
      Please read the White Paper, it answers just about all your questions.

      Why centralization may be necessary []

      Data is encrypted, only you can read it []

    • Do you want it to be possible for your boss to find out that you subscribe to an atheist news letter of he's a hardcore christian?

      I'm trying to imagine what an athiest newsletter might have to say every month...

      "Supreme Being: Still Made Up" or something like that?
    • This has largely been kept true...

      This, unfortunately, is SO not true any longer. I can tell you the names of 13 machines to take out, after which most of the 'net won't function. Care to guess what they are?

      As soon as commercial interests hit the 'net, it's ability to survive substantial damage and continue functioning began to disappear.

  • Simplicity - the service should be simple and easy to use, so that your average non-geek can use it without having to care about encryption, PKI infrastruction, digital certificates or other arcane knowledge.

    Yeah, that infrastruction. A real bitch.

    Seriously, though. You seem to be thinking of people mailing notarized passport photocopies!? Yeah right. The vast majority of FRR sites only want to know their advertising demographics and do some geotargeting (also with ads). They don't need to know yo
  • by deft ( 253558 ) on Sunday July 11, 2004 @06:53PM (#9669799) Homepage
    you really are the owner of this website?
  • by Lumpy ( 12016 ) on Sunday July 11, 2004 @06:55PM (#9669808) Homepage
    I dont care what you try to come up with, I bet you $100.0 that within 24 hours I can figure out a way to get multiple user id's on it.

    Hell meet the right people and you can get multiple Social Security number, drivers licenses, and passports.

    ALL identification systems can be subverted and online ones that do not require a large amount of 3rd party and usually highly reliable data backing up your claims to be you is really easy to subvert.

    I tried to find a solution like this over 7 years ago for the company I work for. it is impossible to make a foolproof system and I proved it to the board of directors that trying to do this will only piss off the customers and give us nothing but a false sense of security that really does not exist.
  • by Anonymous Coward on Sunday July 11, 2004 @06:55PM (#9669810)
    Have you looked at the people? They are basically doing the same thing and issuing digital certificates based on the person and his/her level of authenticity. Since you have to use your drivers license, passport, or something of that sort, its hard to get a second account :-)
  • by midifarm ( 666278 ) on Sunday July 11, 2004 @06:55PM (#9669812) Homepage
    I typically hate being FORCED to register to use a web site. Furthermore I hate being tracked as I use the site. This idea is just short of installing an always on GPS in my car, oh wait isn't that called OnStar? Furthmore, I think this type OnlineID is intrusive and totalitarian. Beware!


  • Thawte Web of Trust (Score:5, Informative)

    by Rupan ( 723469 ) on Sunday July 11, 2004 @06:56PM (#9669819) Homepage
    Well, I should think you could write hooks into the free Thawte web of trust system to achieve this goal. Why reinvent the wheel?
  • by hawkeyeMI ( 412577 ) <(moc.ecitkcorb) (ta) (kcorb)> on Sunday July 11, 2004 @06:57PM (#9669821) Homepage
    I'll just register with a dummy email address []!
  • Privacy policy? (Score:5, Insightful)

    by MisanthropicProgram ( 763655 ) on Sunday July 11, 2004 @06:59PM (#9669838)
    I don't see one and this doesn't cut it:
    Privacy - users will be entering very sensitive, personal data which they do not want passed on to anyone without their permission. People want to maintain full control over their own information, and not be used as pawns in marketing games
    Until privacy is addressed with a lock tight policy, like, "We'll never give out your info." I will never become a client.
    • Re:Privacy policy? (Score:2, Informative)

      by ngunton ( 460215 )
      Did you look around at all? There's a Privacy Policy [] which is under the Help section. It's even linked to directly from the front page. And yes, it states pretty much that your information will never be shared with anyone, for any reason, without your consent (or unless required by law, which I guess anyone has to be held to).

  • A matter of trust (Score:5, Insightful)

    by plsuh ( 129598 ) <> on Sunday July 11, 2004 @06:59PM (#9669840) Homepage
    Nice cut at things, but why on earth should we trust you?

    This is not meant as an insult -- it cuts to the heart of the matter. A user is thus relying on you for secure storage of all of his or her personal information, and also relying on you that none of the information will ever leak. This is both leaks to the outside world in general via website spoofs, phishing, and the like, as well as internal leaks where an individual's information is inadvertently revealed beyond what he or she intended (e.g. I only meant to give out my address, not my credit card number).

    You would do well to read up on the design documents and white papers from the Liberty Alliance []. This is a hard problem to solve and simply using a centralized data store does not address any of the real privacy and security issues inherent in the field of identity verification and personal information management.

  • by Anonymous Coward
    ahhhh, isn't this what the liberty alliance is all about?

  • by fsterman ( 519061 ) on Sunday July 11, 2004 @07:01PM (#9669852) Homepage
    How are you gonna make sure people don't get another one? "You send in notarized copies of documentation such as passport, birth certificate, drivers license, utility bills etc." Riiiiiight, I got three people in this house that won't be using this thing. Along with plenty of insecure garbages all over town full of utility bills. Even shit like SS# are _VERY_ easy to get. How do you think illegal workers work? With fake SS cards they buy for $50-$100. This is a really useless idea.
  • Given That... (Score:2, Insightful)

    Given that we cannot establish identity completely anywhere else in society short of invasive DNA testing (identical twins beat this one) or fingerprints (already shown to be easily spoofed), why should cyberspace be any different? We're awash in counterfeit identity documents good enough to pass, and sold on street corners for a few bucks and a few minute's waiting. Most IP addresses dynamically change faster than presidential candidates positions on the issues. You might be able to generate a unique PC
  • Paypal (Score:5, Informative)

    by Noksagt ( 69097 ) on Sunday July 11, 2004 @07:05PM (#9669872) Homepage
    You've gotten a lot of responses to "use Passport" and the like. Passport, of course, doesn't uniquely identify you--you can easily get multiple passport accounts.

    Instead, use Paypal or similar financial services who have an interest in verifying ID. Yes, many have problems with Paypal eating money, etc. Guess what: Most will probably have a bigger problem sending YOU their personal info & paypal already has a lot of personal info.

    Just make users send you the send you the smallest amount possible as pseudo-micropayment. And/or send THEIR paypal account some small amount. That will probably be cheaper than doing verification yourself.
    • Maybe this is where to start -- not necessarily with PayPal, but the idea of distributed "identifying entities." Rather than spending your time on a site for registration, design an infrastructure that allows entities who do know with some certainty who I am ( say, the Instituto Nacional de Migracion, who handle my residence visa, or my banker who handles my money ) to allow me to issue these same identifying tickets to other parties.

      Be like BASF "We don't make the identity database. We make the iden

  • I don't really know how well the mod_perl backend will stand up...

    That's what /. is here for. I suggest you count in minutes, not hours.

  • this is really stupid. Autor states that electronic signig and autentication never really caught on with geeks, but for some reason, he thinks that just about everybody will be thrilled with his implementation. What a great concept ! Have your vital info notarised, scan it,s end it around etc... Yeah! What an imoprovement over PGP etc, where you simply send a few tens of bytes of your public key... Not to mention the smallish issue of the security of that central authorisation point. While the official k
  • I can only see where this is going.

    First of all, if you're really worried about people abusing a trial service, maybe you could track things via IP, or, even subnet masks. If your application is specific enough (or just geared to one industry in general), try doing the "Thanks for requesting information, we're going to *MAIL* you your login information the next business day." do I as J6P know that you're going to handle my data correctly? No matter how many times you tell me on your website that you're handling my data in a secure fashion, I can't actually see it. Am I suppossed to just trust that you'll keep my information away from everyone? Including yourself, your marketing droids, and maybe the FBI should they come knocking on your door?

    If you or company are worried about people abusing a trial service...well, get over it. It's bound to happen, no matter how you try to stop it. Just use common sense (don't allow signups from Open Proxies, maybe ask for a credit card number if you're looking for a paid service in the future), and realize that you're going to have online 'shrink.' Every company has shrinkage...why should an online company be any different?

    I can only see where this is going in the "trustworthy computing" area. In order to get a computer, you're going to have to show your computer maker an ID, they'll seal your computer so you can't install devices (they'll send a technician out to do it), and tell you what you can and can't do with your data, your time, and ultimately, your hardware.

  • Why? (Score:4, Insightful)

    by max born ( 739948 ) on Sunday July 11, 2004 @07:27PM (#9670030)
    Nice idea, Michael, but why would I want this?

    What problem does it solve?

    I already do online banking, shopping, bill paying, etc.. What additional service could I get from registering with you?
    • Nice idea, Michael, but why would I want this?

      What problem does it solve?


      No more spam.

      If you can verify that each message comes from a specific person, you can filter out the known spammers and get on with your life.

      If you're creative, you can come up with more problems for this solution fairly easily.
  • The main problems are that this just shifts the point of failure (or deception or fraud) to third parties. Instead of you yourself lying about your identity to someone over an insecure communications system, now you're dependent on whatever procedure people identify themselves with to this registry. Ultimately someone at the registry has to examine the documents submitted by someone and decide whether or not it's legitimate (and thereby mark the user as verified). How can he managed to never be deceived?

  • Here in Finland every bank offers sign-in with your bank web-account-id, and the protocol (TUPAS) is standardized here in finland by a central authority (Pankkiyhdistys), so that when you include this authentication system to your application, with the same effort, it works with all the banks (and potential customers). Allmost all the transactions and bill paying is done electronically in web-banks here in Finland, so almost everybody has these id's already. The bank authenticates the user at the local offi
  • Forget verification. Filling in endless registration forms for come-and-go websites is a prohibitive barrier to massifying web commerce. Just implement a database of records with unique IDs, and suffixes for levels of info disclosure, and people will use the IDs in a single registration field all over the web. It's like M$ passport without the onerous security infrastructure. If you presign a giant damages agreement in the event someone proves you've divulged their info against the license you've gotten fro
  • For Profit? (Score:2, Informative)

    "Should it be for-profit or non-profit?"

    Hey There,

    I would suggest you go with a proven business model.

    Should be "non-profit".

    Just make sure that you patent the idea.
    Don't tell anyone about the pending patent.
    Work as part of a standards group to gain wide acceptance.
    Wait 3-5 years.

    Now what's the phrase I'm looking for?
    Damn the torpedoes?
    Up periscope?

    Surface that submarine ;)

    --The Dude
  • why would i give you, or anyone for that matter... my personal information..

    and why on gods green earth would i spend the time to SEND you NOTARIZED ($$) copies of my UBER-private documents (step #3 on his page)...


    a "free trial" or "free registration"?

    through a third-party.

    no way... im too lazy to give my lawyer those documents in an orderly fashion... much less for a free trial to mens life online magazine.

  • One of the main problems that I see in identity/privacy/security issues at the moment is that people are convinced that there is a purely technological solution. That's just false. One thing you will have to consider is how much it is worth it to someone to cheat, what are the initial costs of getting an identity, and what are the costs to a discovered cheater. If the benefits to cheating outweigh the costs at all, then you lose. If there is money to be made in cheating, someone will find a way to do it.
  • by Psychic Burrito ( 611532 ) on Sunday July 11, 2004 @08:02PM (#9670254)
    Your inital problem was "people register n times at my site and I can't stop them". Here's a different way to stop people:

    Have a central registry with only an ID and a phone number. To activate your ID, the system calls you and tells you a number which you subsequently type in a web form. The "ID" is then considered "validated".

    Your initial web app can now call the DB and ask if the ID is validated. If it is, everything's fine.

    Advantages: Less privacy intruision (people only have to trust that the central registry won't tell the phone numbers anybody). Simple to set up for both the central registry and any service. Quite efficient (most people don't have access to more than a few phone numbers).

    Case solved. :-)

    If you implement it, don't forget us poor buggers from Europe who would like to use the app too! :-)
  • by adzoox ( 615327 ) * on Sunday July 11, 2004 @08:05PM (#9670269) Journal
    Actually this exploit of IDS is a two edged sword for those that try to exploit it.

    If you keep track of IP addresses and do a little research at netcraft - you can really expose someone for being a fraud.

    On my website, I have followed such a person [], and exposed that he was registering as different aliases and agreeing with his own posts pretending to be other people. In some cases, just so he would look like he wasn't the same person he would criticise his previous comments.
  • Just to be clear... (Score:5, Informative)

    by ngunton ( 460215 ) on Sunday July 11, 2004 @08:06PM (#9670277) Homepage
    Hi, I'm the developer of the Online ID Registry prototype. I wanted to clarify some points:

    a) The Online ID Registry concept has nothing to do with MS Passport or Liberty Alliance. It is not a distributed login system, it is simply a way of confirming your identity. The website is not used in any sort of tracking or third-party login architecture.

    b) All of your information is encrypted, using a password that only you know. Therefore even if the entire thing was stolen, it wouldn't be any use to anybody, at least unless they can break Blowfish on each and every record.

    c) I haven't asked anybody to trust me personally at present, the whole idea of this article was to get feedback on the concepts and mechanisms, and to try to work out how this thing might be done in a "non-evil" manner. You have to start somewhere! We're just talking about how this might work. Please read the White Paper before diving in with comments about "Why should we trust Neil" etc.

    Ok, here's another idea on the documentation front: Many people obviously have a problem with the concept of sending notarized copies of their ID docs through the mail. It's true, this does present many problems. How about if we had the Notary Public simply confirm that various pieces of (original) documentation (passport, bills etc) matched up with the information on the printed confirmation form, and the Notary Public then checks off what was provided, notarizes the form and seals & sends it off *themselves* (obviously you can't have the end-user doing that). Or, perhaps we could have the Notary Public authenticate the documentation request themselves online, without having to send anything to the Online ID Registry at all. The Notary Public has to be computer savvy enough to do this, and in fact they would have to be confirmed themselves in some way in order to have access to the admin functionality for confirming people. I guess we could use the snail mail for the Notaries Public, or perhaps there are other established ways of authenticating these people? Anybody know?

    Point is, I am open to other ways of doing it, I think it would in fact be a huge plus if we didn't actually have to handle all that paperwork. Having the NP confirm "on the spot" with the originals would seem to skip a lot of hassle. Of course, the issue becomes establishing a secure enough mechanism so that the NP can notarize people without people being able to alter the form before it is sent in.

    Still thinking - thanks for the feedback.

    • Let's reply to this...

      a) Prove this. You probably can't, you'll have to develop a track record of behavior
      b) Is it encrypted on my computer before getting to your database? Or am I supposed to assume that you'll be honest and you'll 1) actually encrypt the data and 2) won't keep the password?
      c) OK, so you're asking the slashdot crowd to help you play and test ... good luck on a) and b)

      (Everytime you attempt to quickly placate the fears of your potential audience, you risk weakening the system. I'd r

    • And how do you confirm that these Notaries Public are actually Notaries Public? You think it's that hard to get a fucking embossing machine?
    • Ok, here's another idea on the documentation front: Many people obviously have a problem with the concept of sending notarized copies of their ID docs through the mail. It's true, this does present many problems.

      As a computer programmer for over 24 years and a Notary Public for over 24 months, I'd like to point out something else. In the Commonwealth of Virginia, notaries cannot authenticate copies of some government issued documents. I cannot authenticate a birth certificate, for example; the instructio

      • by ngunton ( 460215 )
        Thanks, this is exactly the kind of feedback that I need. So you're basically saying that the Notary Public system is flawed in that it won't be possible to either validate copies of certain documents, or even trust any validation that does occur? Well, I guess the Notary Public system must be useful for *something*, otherwise it wouldn't exist, right? At a bare minimum, for instance, a NP can be a witness that a document was signed by a certain person, and you can make sure that the person identified thems
  • not the right way to go. When you try to tie online identity to real-world identity, you begin to encounter serious circle-of-trust and privacy issues, which many will balk at rather than use your system.

    That's why some think the best you can do is track the behavior of an online identity in some manner that minimizes the impact of throwaway identities.

    In fact, that's the basis of a distributed, P2P anti-spam project we've recently started, called GOSSiP. There's a white paper and mailing list [] availa
  • by ninjaz ( 1202 ) on Sunday July 11, 2004 @08:30PM (#9670438)
    Sure, you could require registration with a credit card, but this immediately turns many people off and negates the whole point of a free trial.

    So, people don't want to give out their credit card numbers for free trial... But they will want to give you their DOB/Address/Passport/etc? Sure, the individual site wouldn't be the one causing the immediate nuisance, but you still have the problem of getting people on the system to begin with. If they were loathe to provide you with a credit card number, what would make them more willing completely hand over their identities?

    Also, you're being incredibly disingenuous with statements like this (in the Quick Tour section):

    Register - this is free, and involves entering some basic personal information about yourself, such as Name, Address, Date of Birth and Sex. These are attributes that can be verified via documentation.
    All of your personal information is encrypted, so nobody but you can ever see it.

    But, the registration is non-SSL and requests name/DOB/address. I see that buried in the "Terms and Conditions" and "Implementation" section, but, saying "nobody but you can ever see it" anywhere on the site when you're not even using SSL in transit shouts loud and clear that you aren't the one to trust with any sensitive data.

    You should have a big highly-visible warning on the registration page about being a prototype and that there is no SSL, and that having no SSL means all information is sent insecurely to you. Not statements that "no one but you can ever see this information" in big print, and "Oh, I was lying about that" in small print.

    Stating "no one but you should ever see it" regarding the database being encrypted is also a big false sense of security. Since the password is being given to your server, it can be intercepted on the server. If someone has access to steal the database, they've most likely got access to harvest some passwords first, too. Of course, since you're doing everything in cleartext in-transit right now, it could be intercepted over the network, too.

  • Never give out your name and address on the internet unless youre trusting them with your credit card details as well :)
  • Certificates? (Score:5, Interesting)

    by shird ( 566377 ) on Sunday July 11, 2004 @09:22PM (#9670701) Homepage Journal
    Why not just use the existing mechanism of personal certificates/digital IDs? These achieve the same effect, but without the requirement of a lookup on a centralised database. ie, the certificate holds all the required information, and is digitally signed by a trusted party which has supposudly verified the information.

    As everyone has this trusted party's public key (ie Verisign), they can verify the information.

    All the same benifits, without the need of some central database. If you dont trust verisign, or don't like their business practices, then just become a CA yourself and work in exactly the same way. It is much more flexible than a central online database.
    • Re:Certificates? (Score:3, Interesting)

      by shird ( 566377 )
      But if for some reason you really need to have this centralised database for identies, just let people upload their certificates to your server for people to lookup. As these are public anyway, people would rather submit that than mail a bunch of personal information to you.

      Of course, the problem here is the only 'unique' thing in the certificate is the name, which their can be many duplicates.

      The solution of course is still to be a CA, but issue certificates with a property which gaurantee uniqueness to
  • My advice (Score:3, Interesting)

    The first thing I would suggest is to patent that idea ASAP before someone else steals it.

    The second is to write a business proposal to online companies to sell them on your idea and why it is better than MS Passport, KeyType, MyUID, and others.

    So what is to prevent someone from creating a fake Yahoo or Hotmail mail account, and then using it to create a mail account somewhere else that requires email verification. Then use the other email which passes the free web email checks that other sites use? Once they got an account in your database, they can enter fictatious info, and repeat this many ways. If you filter by IP or subnet, what prevents them from using a web proxy?

    People won't want to enter their SSN, and what about someone not from the USA, what do they enter? What about people who can generate fake SSNs, or fake passport numbers, or fake driver's licenses? How do you check for all that?

    If you require them to enter a valid credit card number, what about those who do not have a credit card? Can they enter a checking account number? What if someone does not trust you with this information or they use fake or stolen accounts? Someone with a program that uses the same formula to check credit card numbers can reverse it to create a fake number that passes your check. What then?

    The best way to deal with this problem is to change the software on the end of the service that is providing the content. Maybe trial users can only read so many pages, or get a ton of more advertising and pop-ups than if they had subscribed? Or maybe requiring the trial member to wait 3 minutes before a page loads, and show them a page of benefits should they pay to register? The trial registration, maybe, has a large survey that they must complete, so that creating a new account is going to be more trouble than it is worth. Also limited trial memberships will be issued to subnets per month. If a subnet has over a certain number, they must wait until the next month to register a trial. There needs to be a way to limit trial memberships to prevent abuse.
  • by Animats ( 122034 ) on Sunday July 11, 2004 @10:18PM (#9671024) Homepage
    This solves a problem we don't really have, which is why the last five or so attempts to solve it haven't gone anywhere.

    What we need is a solid way to identify everyone who takes credit cards on the Internet, to help deal with spammers. It's a crime in many areas (California, for one) to run an anonymous business. California requires that the actual name and address of the business (not a P.O. box, unless you file some extra paperwork) be shown to the customer before the site accepts a credit card number. So it's not controversial to require this. It just needs a better implemention.

    What we need is a banking regulation requirement that when a credit card merchant bank accepts a credit card transaction, there's a check at the bank's payment gateway of the web page from which the transaction came. The page must be SSL, of course. Its certificate information should be validated agains the ownership info for the merchant's bank account The credit card transaction (merchant to bank) should be signed with the same key that signs the web page. Otherwise, the bank is required to reject the transaction.

    This requires zero consumer-side changes. It makes it much easier to figure out who to blame for spam. Just get to the payment page and read the certificate. Right now, most SSL certificates don't guarantee anything. This forces accurate info into the site's certificate, or the transaction bounces.

    It would be a pain for companies that rely on "affilate networks" and other marginal indirect payment schemes. But that's probably a good thing.

  • by John Hasler ( 414242 ) on Sunday July 11, 2004 @10:49PM (#9671199) Homepage
    > Then there's the question of what happens to all
    > the documentation that has been sent in. I think
    > that for security and audit purposes, we do need
    > to keep it in some form.

    On the contrary. Yot need to *destroy* those documents for security and audit purposes.
  • by john_smith_45678 ( 607592 ) on Sunday July 11, 2004 @10:57PM (#9671238) Journal
    Yeah, those could NEVER be forged, stolen, etc.
  • by UnrepentantHarlequin ( 766870 ) on Sunday July 11, 2004 @11:40PM (#9671526)
    Being Slashdot nerds, we tend to look first at the technical aspects of a problem. But in this case, the greatest difficulty is not technical. The biggest part of the problem is trust -- namely, users' trust for you.

    This might surprise a lot of people, but the majority of credit card fraud is not carried out by shoulder surfers, packet sniffers, l33t hackers, or any other third parties. It's done by the merchants themselves, or by their employees. Yep: the people most likely to misuse your CC info are the people you voluntarily give it to.

    You're planning to ask people to give you information that can positively identify them in a non-face-to-face environment. Which means that you, your eventual employees, the investigators you hire to verify that the documents people send you are real, etc., will all potentially have access to that information. You first have to work out a bulletproof means to protect that information, even from yourself, and then you have to convince prospective users (remember, these are the people who are afraid to send their CC info over the Net) that you've protected it adequately. You can convince yourself . . . you might possibly be able to convince me . . . but it'll be a cold day in hell before you convince my mother-in-law.

    There are a lot more mothers-in-law who have heard scary news stories about identity theft than there are Slashdotters.

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.