Slashdot Mirror

← Back to Stories (view on slashdot.org)

An Online ID Registry

Posted by michael on from the just-send-me-your-birth-certificate dept.

Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"

6 of 278 comments (clear)

  1. Appeal to authority by Ars-Fartsica · · Score: 5, Insightful

    The only way to truly verify identity online or offline is to appeal to a trusted authority...which currently people use driver's licenses or SSNs for. If you cannot establish a trusted authority that discrminates people you have never met before, your system is just another exploitable database.

  2. What I'd have to know to use it: by Qzukk · · Score: 5, Interesting

    First, does it keep track of where I've used it? If so, then I want this used in my favor by allowing me access to this log to ensure that my identification has not been compromised.

    Second, can site A find out that I also use site B?

    Third, is there any more information stored than my credentials? (for example credit card #s, SSN etc.) Not only that, but will sites use this as a key for tracking additional information? (perhaps you should consider returning an "identified" or "not identified" response, with no additional information.) (Sites that keep my CC# without giving me a way to delete them piss me off. This means you, Amazon, you and your collection of every expired CC I've ever used there.)

    I think thats a pretty good start. That pretty much covers my privacy concerns as well as exploit/misuse concerns.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  3. Centralization by prichardson · · Score: 5, Insightful

    Doesn't the idea of a central registry defeat the purpose of the internet anyway?

    The internet was designed so any number of nodes could go offline and all the other nodes could still talk to each other. This has largely been kept true, even in the application layer, where your stuff would be taking place. I think that requiring a central database for people to use to register for websites would be unwise.

    Also, you have any number of privacy concerns here. Do you really want a database of everything that everyone registers for? Do you want it to be possible for your boss to find out that you subscribe to an atheist news letter of he's a hardcore christian?

    --
    Help I'm a rock.
  4. Re:It's been done by nkh · · Score: 5, Informative

    Microsoft Passport and its OSS port: MyUID (as seen on /. here)

  5. Thawte Web of Trust by Rupan · · Score: 5, Informative

    Well, I should think you could write hooks into the free Thawte web of trust system to achieve this goal. Why reinvent the wheel?

    http://www.thawte.com/email/index.html

    --
    Ads? What ads?
  6. Privacy policy? by MisanthropicProgram · · Score: 5, Insightful

    I don't see one and this doesn't cut it:
    Privacy - users will be entering very sensitive, personal data which they do not want passed on to anyone without their permission. People want to maintain full control over their own information, and not be used as pawns in marketing games
    Until privacy is addressed with a lock tight policy, like, "We'll never give out your info." I will never become a client.