Slashdot Mirror
An Online ID Registry
Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"
"I am sort of stuck with a working website but nowhere to go with it."
Not anymore you don't. Problem solved!
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
Well, first and foremost: Get a fire extinguisher handy for the slashdotting you're about to receive. Hmmmm ... I have a
compute-intensive application I'm playing with ... I think I'll talk
about it on slashdot. What's that crashing sound I hear?
As to the premise: I actually think it is a moderately valuable idea, but you are going to find yourself heading into a strong wind of distrust. "Who is this guy that I want to give him information that has extemely high identity-theft value?" - Your first major obstacle is not technological at all, it is going to be image: How do you present your bona-fides. Can you afford a seven figure surety bond?
Finally, the ultimate question, when you decide how to make the business model work: Who wants the product? If you can get pr0n sites to accept your say-so as an adult-verification entity, then you will have people beating down your door to sign up with your service.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
see microsoft passport. I'm sure there are tons of online user ids, the biggest being passport and yahoo.
I wonder how hard it would be for an independant website to use passport for id?
Anyway, making your system for-profit would be kind of pointless, since there are already much larger commercial offerings. I'm not aware of many non-commercial ones, though. oh well.
autopr0n is like, down and stuff.
The only way to truly verify identity online or offline is to appeal to a trusted authority...which currently people use driver's licenses or SSNs for. If you cannot establish a trusted authority that discrminates people you have never met before, your system is just another exploitable database.
First, does it keep track of where I've used it? If so, then I want this used in my favor by allowing me access to this log to ensure that my identification has not been compromised.
Second, can site A find out that I also use site B?
Third, is there any more information stored than my credentials? (for example credit card #s, SSN etc.) Not only that, but will sites use this as a key for tracking additional information? (perhaps you should consider returning an "identified" or "not identified" response, with no additional information.) (Sites that keep my CC# without giving me a way to delete them piss me off. This means you, Amazon, you and your collection of every expired CC I've ever used there.)
I think thats a pretty good start. That pretty much covers my privacy concerns as well as exploit/misuse concerns.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Doesn't the idea of a central registry defeat the purpose of the internet anyway?
The internet was designed so any number of nodes could go offline and all the other nodes could still talk to each other. This has largely been kept true, even in the application layer, where your stuff would be taking place. I think that requiring a central database for people to use to register for websites would be unwise.
Also, you have any number of privacy concerns here. Do you really want a database of everything that everyone registers for? Do you want it to be possible for your boss to find out that you subscribe to an atheist news letter of he's a hardcore christian?
Help I'm a rock.
you really are the owner of this website?
There's nothing Intelligent about Intelligent Design.
I dont care what you try to come up with, I bet you $100.0 that within 24 hours I can figure out a way to get multiple user id's on it.
Hell meet the right people and you can get multiple Social Security number, drivers licenses, and passports.
ALL identification systems can be subverted and online ones that do not require a large amount of 3rd party and usually highly reliable data backing up your claims to be you is really easy to subvert.
I tried to find a solution like this over 7 years ago for the company I work for. it is impossible to make a foolproof system and I proved it to the board of directors that trying to do this will only piss off the customers and give us nothing but a false sense of security that really does not exist.
Do not look at laser with remaining good eye.
Have you looked at the http://www.cacert.org people? They are basically doing the same thing and issuing digital certificates based on the person and his/her level of authenticity. Since you have to use your drivers license, passport, or something of that sort, its hard to get a second account :-)
Peace
Well, I should think you could write hooks into the free Thawte web of trust system to achieve this goal. Why reinvent the wheel?
http://www.thawte.com/email/index.html
Ads? What ads?
I'll just register with a dummy email address!
Error 404 - Sig Not Found
I don't see one and this doesn't cut it:
Privacy - users will be entering very sensitive, personal data which they do not want passed on to anyone without their permission. People want to maintain full control over their own information, and not be used as pawns in marketing games
Until privacy is addressed with a lock tight policy, like, "We'll never give out your info." I will never become a client.
Nice cut at things, but why on earth should we trust you?
This is not meant as an insult -- it cuts to the heart of the matter. A user is thus relying on you for secure storage of all of his or her personal information, and also relying on you that none of the information will ever leak. This is both leaks to the outside world in general via website spoofs, phishing, and the like, as well as internal leaks where an individual's information is inadvertently revealed beyond what he or she intended (e.g. I only meant to give out my address, not my credit card number).
You would do well to read up on the design documents and white papers from the Liberty Alliance. This is a hard problem to solve and simply using a centralized data store does not address any of the real privacy and security issues inherent in the field of identity verification and personal information management.
--Paul
How are you gonna make sure people don't get another one? "You send in notarized copies of documentation such as passport, birth certificate, drivers license, utility bills etc." Riiiiiight, I got three people in this house that won't be using this thing. Along with plenty of insecure garbages all over town full of utility bills. Even shit like SS# are _VERY_ easy to get. How do you think illegal workers work? With fake SS cards they buy for $50-$100. This is a really useless idea.
Is there anything better than clicking through Microsoft ads on Slashdot?
You've gotten a lot of responses to "use Passport" and the like. Passport, of course, doesn't uniquely identify you--you can easily get multiple passport accounts.
Instead, use Paypal or similar financial services who have an interest in verifying ID. Yes, many have problems with Paypal eating money, etc. Guess what: Most will probably have a bigger problem sending YOU their personal info & paypal already has a lot of personal info.
Just make users send you the send you the smallest amount possible as pseudo-micropayment. And/or send THEIR paypal account some small amount. That will probably be cheaper than doing verification yourself.
I can only see where this is going.
First of all, if you're really worried about people abusing a trial service, maybe you could track things via IP, or, even subnet masks. If your application is specific enough (or just geared to one industry in general), try doing the "Thanks for requesting information, we're going to *MAIL* you your login information the next business day."
Second...how do I as J6P know that you're going to handle my data correctly? No matter how many times you tell me on your website that you're handling my data in a secure fashion, I can't actually see it. Am I suppossed to just trust that you'll keep my information away from everyone? Including yourself, your marketing droids, and maybe the FBI should they come knocking on your door?
If you or company are worried about people abusing a trial service...well, get over it. It's bound to happen, no matter how you try to stop it. Just use common sense (don't allow signups from Open Proxies, maybe ask for a credit card number if you're looking for a paid service in the future), and realize that you're going to have online 'shrink.' Every company has shrinkage...why should an online company be any different?
I can only see where this is going in the "trustworthy computing" area. In order to get a computer, you're going to have to show your computer maker an ID, they'll seal your computer so you can't install devices (they'll send a technician out to do it), and tell you what you can and can't do with your data, your time, and ultimately, your hardware.
Ian
I disable sigs...do you?
Nice idea, Michael, but why would I want this?
What problem does it solve?
I already do online banking, shopping, bill paying, etc.. What additional service could I get from registering with you?
Nope. Liberty is a free project for centralized user IDs... but has no component for the killer app this person is looking for, preventing the same person from using two or different accounts to get treated as a new signup two or more times...
Seems to me that the needs of the website owners are at variance with those of the website -- or more accurately -- online community -- users. Look, if I'm selling ads on /., I'm touting every impression as unique, by a major IT Industry Knowledge Worker/Decision Maker. You want to provide substantiation that it's really one 14-year-old with 35 different aliases and a singularly large amount of free time on his hands? R U Crazy?! Jeez, if this catches on, it's the end of the Web/Blog Ad Sales model as we know it...
Which is to say: GO, MAN, GO....!!!
Hi, I'm the developer of the Online ID Registry prototype. I wanted to clarify some points:
a) The Online ID Registry concept has nothing to do with MS Passport or Liberty Alliance. It is not a distributed login system, it is simply a way of confirming your identity. The website is not used in any sort of tracking or third-party login architecture.
b) All of your information is encrypted, using a password that only you know. Therefore even if the entire thing was stolen, it wouldn't be any use to anybody, at least unless they can break Blowfish on each and every record.
c) I haven't asked anybody to trust me personally at present, the whole idea of this article was to get feedback on the concepts and mechanisms, and to try to work out how this thing might be done in a "non-evil" manner. You have to start somewhere! We're just talking about how this might work. Please read the White Paper before diving in with comments about "Why should we trust Neil" etc.
Ok, here's another idea on the documentation front: Many people obviously have a problem with the concept of sending notarized copies of their ID docs through the mail. It's true, this does present many problems. How about if we had the Notary Public simply confirm that various pieces of (original) documentation (passport, bills etc) matched up with the information on the printed confirmation form, and the Notary Public then checks off what was provided, notarizes the form and seals & sends it off *themselves* (obviously you can't have the end-user doing that). Or, perhaps we could have the Notary Public authenticate the documentation request themselves online, without having to send anything to the Online ID Registry at all. The Notary Public has to be computer savvy enough to do this, and in fact they would have to be confirmed themselves in some way in order to have access to the admin functionality for confirming people. I guess we could use the snail mail for the Notaries Public, or perhaps there are other established ways of authenticating these people? Anybody know?
Point is, I am open to other ways of doing it, I think it would in fact be a huge plus if we didn't actually have to handle all that paperwork. Having the NP confirm "on the spot" with the originals would seem to skip a lot of hassle. Of course, the issue becomes establishing a secure enough mechanism so that the NP can notarize people without people being able to alter the form before it is sent in.
Still thinking - thanks for the feedback.
-Neil
So, people don't want to give out their credit card numbers for free trial... But they will want to give you their DOB/Address/Passport/etc? Sure, the individual site wouldn't be the one causing the immediate nuisance, but you still have the problem of getting people on the system to begin with. If they were loathe to provide you with a credit card number, what would make them more willing completely hand over their identities?
Also, you're being incredibly disingenuous with statements like this (in the Quick Tour section):
But, the registration is non-SSL and requests name/DOB/address. I see that buried in the "Terms and Conditions" and "Implementation" section, but, saying "nobody but you can ever see it" anywhere on the site when you're not even using SSL in transit shouts loud and clear that you aren't the one to trust with any sensitive data.
You should have a big highly-visible warning on the registration page about being a prototype and that there is no SSL, and that having no SSL means all information is sent insecurely to you. Not statements that "no one but you can ever see this information" in big print, and "Oh, I was lying about that" in small print.
Stating "no one but you should ever see it" regarding the database being encrypted is also a big false sense of security. Since the password is being given to your server, it can be intercepted on the server. If someone has access to steal the database, they've most likely got access to harvest some passwords first, too. Of course, since you're doing everything in cleartext in-transit right now, it could be intercepted over the network, too.
Points can be earned by:
Depositing 2 random amounts of money into the person's checking account (like PayPal)
Verifying their address with the address on their credit card
Matching their phone number to their address through a phonebook (anywho.com/rl.html)
Have an automated call placed to the phone number listed and ask the person to input his/her date of birth as digits
Have X other registered users verify that the person signing up is real
Have the person fax in a notarized document of identity
Send a letter/postcard in the mail with a code for the person to use to verify his/her address
Have the person call a toll-free number and input their birth date and using caller id to verify the source of the phone call
There are probably more ways, but like others said, if you're serious about this, you may want to look into starting a non-profit or LLC.
Why not just use the existing mechanism of personal certificates/digital IDs? These achieve the same effect, but without the requirement of a lookup on a centralised database. ie, the certificate holds all the required information, and is digitally signed by a trusted party which has supposudly verified the information.
As everyone has this trusted party's public key (ie Verisign), they can verify the information.
All the same benifits, without the need of some central database. If you dont trust verisign, or don't like their business practices, then just become a CA yourself and work in exactly the same way. It is much more flexible than a central online database.
I.O.U One Sig.