Slashdot Mirror


An Online ID Registry

Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"

7 of 278 comments (clear)

  1. My random thoughts.... by YankeeInExile · · Score: 4, Interesting

    Well, first and foremost: Get a fire extinguisher handy for the slashdotting you're about to receive. Hmmmm ... I have a compute-intensive application I'm playing with ... I think I'll talk about it on slashdot. What's that crashing sound I hear?

    As to the premise: I actually think it is a moderately valuable idea, but you are going to find yourself heading into a strong wind of distrust. "Who is this guy that I want to give him information that has extemely high identity-theft value?" - Your first major obstacle is not technological at all, it is going to be image: How do you present your bona-fides. Can you afford a seven figure surety bond?

    Finally, the ultimate question, when you decide how to make the business model work: Who wants the product? If you can get pr0n sites to accept your say-so as an adult-verification entity, then you will have people beating down your door to sign up with your service.

    --
    How does the Slashdot Effect happen given that no slashdotters ever RTFA?
  2. What I'd have to know to use it: by Qzukk · · Score: 5, Interesting

    First, does it keep track of where I've used it? If so, then I want this used in my favor by allowing me access to this log to ensure that my identification has not been compromised.

    Second, can site A find out that I also use site B?

    Third, is there any more information stored than my credentials? (for example credit card #s, SSN etc.) Not only that, but will sites use this as a key for tracking additional information? (perhaps you should consider returning an "identified" or "not identified" response, with no additional information.) (Sites that keep my CC# without giving me a way to delete them piss me off. This means you, Amazon, you and your collection of every expired CC I've ever used there.)

    I think thats a pretty good start. That pretty much covers my privacy concerns as well as exploit/misuse concerns.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  3. Re:It's been done by Anml4ixoye · · Score: 4, Interesting

    Thawte does this as well - they have a network of people who can verify your identity throughout the country, and if you can be positively identify enough, you can become an identifier. Seems to work pretty well (See their Freemail section).

  4. Re:Appeal to authority by jackb_guppy · · Score: 3, Interesting

    If you ask for DL or SS, there goes your business.

    Think about it.. that leads to claim of identity theif immedatily.

    Better question why offer 30 day demo software, or crippleware in the first place?

    Why not offer lower cost software, so it can be tossed if the customer does not like it.

    Or required the software to phone home every few days while in demo period. This why you can use embedded id of software / IP of coonection to determine if linesse is valid... but that will label you with SPYWARE instead.

  5. Trust, and the 'trustworthy computing' by ONU+CS+Geek · · Score: 3, Interesting

    I can only see where this is going.

    First of all, if you're really worried about people abusing a trial service, maybe you could track things via IP, or, even subnet masks. If your application is specific enough (or just geared to one industry in general), try doing the "Thanks for requesting information, we're going to *MAIL* you your login information the next business day."

    Second...how do I as J6P know that you're going to handle my data correctly? No matter how many times you tell me on your website that you're handling my data in a secure fashion, I can't actually see it. Am I suppossed to just trust that you'll keep my information away from everyone? Including yourself, your marketing droids, and maybe the FBI should they come knocking on your door?

    If you or company are worried about people abusing a trial service...well, get over it. It's bound to happen, no matter how you try to stop it. Just use common sense (don't allow signups from Open Proxies, maybe ask for a credit card number if you're looking for a paid service in the future), and realize that you're going to have online 'shrink.' Every company has shrinkage...why should an online company be any different?

    I can only see where this is going in the "trustworthy computing" area. In order to get a computer, you're going to have to show your computer maker an ID, they'll seal your computer so you can't install devices (they'll send a technician out to do it), and tell you what you can and can't do with your data, your time, and ultimately, your hardware.

    Ian

    --

    I disable sigs...do you?
  6. Use multiple sources of trusted authorities by Adam9 · · Score: 4, Interesting
    I would setup a scoring system so that the user must have X points to successfully register their account.

    Points can be earned by:

    Depositing 2 random amounts of money into the person's checking account (like PayPal)

    Verifying their address with the address on their credit card

    Matching their phone number to their address through a phonebook (anywho.com/rl.html)

    Have an automated call placed to the phone number listed and ask the person to input his/her date of birth as digits

    Have X other registered users verify that the person signing up is real

    Have the person fax in a notarized document of identity

    Send a letter/postcard in the mail with a code for the person to use to verify his/her address

    Have the person call a toll-free number and input their birth date and using caller id to verify the source of the phone call

    There are probably more ways, but like others said, if you're serious about this, you may want to look into starting a non-profit or LLC.

  7. Certificates? by shird · · Score: 4, Interesting

    Why not just use the existing mechanism of personal certificates/digital IDs? These achieve the same effect, but without the requirement of a lookup on a centralised database. ie, the certificate holds all the required information, and is digitally signed by a trusted party which has supposudly verified the information.

    As everyone has this trusted party's public key (ie Verisign), they can verify the information.

    All the same benifits, without the need of some central database. If you dont trust verisign, or don't like their business practices, then just become a CA yourself and work in exactly the same way. It is much more flexible than a central online database.

    --
    I.O.U One Sig.