Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

An Online ID Registry

michael posted more than 10 years ago | from the just-send-me-your-birth-certificate dept.

Privacy 278

Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"

cancel ×


Sorry! There are no comments related to the filter you selected.

Interesting choice of words... (4, Funny)

miketang16 (585602) | more than 10 years ago | (#9669727)

"I am sort of stuck with a working website but nowhere to go with it."

Not anymore you don't. Problem solved!

Re:Interesting choice of words... (4, Insightful)

Nurseman (161297) | more than 10 years ago | (#9669783)

"I am sort of stuck with a working website but nowhere to go with it."

Lets see, a central repository of peoples personal data, so someone can verify that we are trying a program for the first time ? Oh, yeah, I can see that flying.
Sarcasm aside, I just don't see it happening, too much potential for abuse. Imagine if this repository was hacked ?

Re:Interesting choice of words... (1)

miketang16 (585602) | more than 10 years ago | (#9669785)

EDIT: Not anymore you aren't. (typed too quickly i suppose)

Re:Interesting choice of words... (2, Insightful)

Anonymous Coward | more than 10 years ago | (#9669922)

I'm replying to the first post so people will see my comment before all the others, suckers! eat me, i taste good, bitches.

Your idea is hopeless. Identity can only be "verified" using something that's difficult or expensive to fake. Nobody is going to trust you with information that can be used for identity theft, so you can't rely on the government to do the enforcement for you. You can't afford enough private investigators to check up on every new account, and users wouldn't tolerate that anyway. Your only choice is to create a system that costs the user something to enter, so they incur greater costs if they enter multiple times. That's how game companies do it, they ban abusers and let them buy a new copy of the game with a new cd key for $50. If the initial registration is free, there's no way to do it. Either give up, charge a fee, or settle for allowing only some multiple registrations while blocking a lot of legitimate users.

Re:Interesting choice of words... (4, Insightful)

cgenman (325138) | more than 10 years ago | (#9670138)

I don't see how notarized copies of documents are easy or cheap to fake. Valid Drivers licenses are easier, but you can always verify the info with the state. Passports work great too.

The step that you're missing is not that xeroxes of these documents are hard to fake (they aren't) but that they are verifiable. If Mary Marsupial has a passport, the government can verify whether or not the information that she entered is correct. If there really is a Mary Marsupial with passport ID #15857287382748 VX123, with birthdate etc etc, they can verify that. Now, that doesn't necessarily mean that the person on the other end of that communication is actually Mary Marsupial, and the following step is to MAIL a confirmation code of some kind to the address of Mary Marsupial as listed by the passport. If you have that, you know that either A: this is really Mary Marsupial or B: Mary Marsupial is totally Owned.

Of course, all of this is hard work, and therefore would take paid registrations and a profit motive to achieve.

A new fan site (0, Offtopic)

Bad Move (774329) | more than 10 years ago | (#9669733)

Visit the Official Lynndie England Fansite [] .

Re:A new fan site (0)

Anonymous Coward | more than 10 years ago | (#9669888)

Wow, this guy sure has issues. He compares Michael Moore to Hitler. LOL.

My random thoughts.... (4, Interesting)

YankeeInExile (577704) | more than 10 years ago | (#9669746)

Well, first and foremost: Get a fire extinguisher handy for the slashdotting you're about to receive. Hmmmm ... I have a compute-intensive application I'm playing with ... I think I'll talk about it on slashdot. What's that crashing sound I hear?

As to the premise: I actually think it is a moderately valuable idea, but you are going to find yourself heading into a strong wind of distrust. "Who is this guy that I want to give him information that has extemely high identity-theft value?" - Your first major obstacle is not technological at all, it is going to be image: How do you present your bona-fides. Can you afford a seven figure surety bond?

Finally, the ultimate question, when you decide how to make the business model work: Who wants the product? If you can get pr0n sites to accept your say-so as an adult-verification entity, then you will have people beating down your door to sign up with your service.

Re:My random thoughts.... (2, Informative)

Metteyya (790458) | more than 10 years ago | (#9669871)

"high identity-theft value" - That's some point here. You're asking people for literary every piece of personal ID info.

I don't know how it's resolved in US, but in Poland, where I live, every man has a unique PESEL number, given at the date of birth. This number consists of birthdate (first 6 digits) and few other digits, containing (besides some pretty random data) info about sex and a checksum of all the previous data. Maybe you could use something like that? This way you could make it with just person's name, sex, birthdate and such number - voila! ?

Re:My random thoughts.... (1)

CyberVenom (697959) | more than 10 years ago | (#9669949)

We have a "Social Security Number" here in the states, and despite the fact that when Social Security was instituted it was specifically prohibited that this number be used for identification purposes aside from collecting social security benefits, it has nonetheless become the de facto standard for numeric identification in the US.

Re:My random thoughts.... (1)

NanoGator (522640) | more than 10 years ago | (#9669879)

"As to the premise: I actually think it is a moderately valuable idea, but you are going to find yourself heading into a strong wind of distrust."

Yeah, like Microsoft's Passport service. And they don't even ask for utility information!

Re:My random thoughts.... (4, Insightful)

YankeeInExile (577704) | more than 10 years ago | (#9669883)

Another thought: How do you solve this problem?

Hey, man, I'll give you $5,000,000 to verify that I am William Gates of Redmond, WA.

Re:My random thoughts.... (2, Funny)

CtrlPhreak (226872) | more than 10 years ago | (#9670215)

Just be glad I'm not running it, to me that's not a problem, that's a bonus!

How Dare You Solve My "Problem!" (3, Funny)

RobotRunAmok (595286) | more than 10 years ago | (#9670106)

Seems to me that the needs of the website owners are at variance with those of the website -- or more accurately -- online community -- users. Look, if I'm selling ads on /., I'm touting every impression as unique, by a major IT Industry Knowledge Worker/Decision Maker. You want to provide substantiation that it's really one 14-year-old with 35 different aliases and a singularly large amount of free time on his hands? R U Crazy?! Jeez, if this catches on, it's the end of the Web/Blog Ad Sales model as we know it...

Which is to say: GO, MAN, GO....!!!

Cue the (-1, Troll)

cbrocious (764766) | more than 10 years ago | (#9669748)

Obligatory PHP over Perl supremacy comments!

It's been done (4, Insightful)

autopr0n (534291) | more than 10 years ago | (#9669750)

see microsoft passport. I'm sure there are tons of online user ids, the biggest being passport and yahoo.

I wonder how hard it would be for an independant website to use passport for id?

Anyway, making your system for-profit would be kind of pointless, since there are already much larger commercial offerings. I'm not aware of many non-commercial ones, though. oh well.

Re:It's been done (5, Informative)

nkh (750837) | more than 10 years ago | (#9669807)

Microsoft Passport and its OSS port: MyUID [] (as seen on /. here [] )

Re:It's been done (1)

ngunton (460215) | more than 10 years ago | (#9669828)

This is not really the same as MS Passport, that is a single-signon system, this is simply a way to verify that someone is who they say they are. The Online ID Registry is not for logging into third party websites.

Re:It's been done (4, Interesting)

Anml4ixoye (264762) | more than 10 years ago | (#9669893)

Thawte does this as well - they have a network of people who can verify your identity throughout the country, and if you can be positively identify enough, you can become an identifier. Seems to work pretty well (See their Freemail section).

more porn sources (2, Informative)

theguywhosaid (751709) | more than 10 years ago | (#9670019)

hey auto, check out [] . autopr0n rocks!

Re:It's been done (2, Informative)

LostCluster (625375) | more than 10 years ago | (#9670069)

But that doesn't solve the problem because there's nothing preventing the same real person from having two or more MS Passports or AOL ScreenNames.

That's what this person is trying to do. Limit free trial offers to one to a customer. Something tells me that's just not possible.

Appeal to authority (5, Insightful)

Ars-Fartsica (166957) | more than 10 years ago | (#9669751)

The only way to truly verify identity online or offline is to appeal to a trusted authority...which currently people use driver's licenses or SSNs for. If you cannot establish a trusted authority that discrminates people you have never met before, your system is just another exploitable database.

Re:Appeal to authority (3, Interesting)

jackb_guppy (204733) | more than 10 years ago | (#9669924)

If you ask for DL or SS, there goes your business.

Think about it.. that leads to claim of identity theif immedatily.

Better question why offer 30 day demo software, or crippleware in the first place?

Why not offer lower cost software, so it can be tossed if the customer does not like it.

Or required the software to phone home every few days while in demo period. This why you can use embedded id of software / IP of coonection to determine if linesse is valid... but that will label you with SPYWARE instead.

Re:Appeal to authority (1)

NanoGator (522640) | more than 10 years ago | (#9669930)

"The only way to truly verify identity online or offline is to appeal to a trusted authority..."

You could also go off the processor ID that Intel implemented back in the P2 or P3 days. Not as decisive, but Slashdot trolls won't buy new processors to have multiple accounts. ;)

Re:Appeal to authority (3, Informative)

Gonoff (88518) | more than 10 years ago | (#9670148)

The processor ID is set to off in all BIOS I have seen and people are not going to turn it on. A lot of people are not even going to know how. Those of us who do know how won't.

I have 2 PCs and a laptop in my house at present, does that mean I need to register 3 times to use the stuff?

Who said anything about "Truly verify identity"? (2, Insightful)

raehl (609729) | more than 10 years ago | (#9670112)

IT seems some people here are overstating the problem - "You'll never be able to have a foolproof system for verifying peple's identity!" So what? That isn't the problem he's trying to solve.

The problem he's trying to solve is people avoiding paying for a service that offers free trials simply by creating multiple user IDs when the free trial is over. To prevent this, he doesn't need a foolproof system...

He just needs a system where it is EASIER TO PAY FOR THE SERVICE than it is to get another ID, for MOST people, MOST of the time.

If 1-5% of people still go through the bother of getting extra IDs, but 95-99% of people who would otherwise just keep abusing free trials end up paying for service instead, then the system might have value.

Whether that's enough value to justify the system however, I don't know. It seems a lot of places that have free trials actually BENEFIT from the "abuse" - take matchmaking sites for example. The larger a site is, the more value there is in a subscription. It's probably better for them to charge people willing to pay in order to keep the same login/profile and also have a buncha people who just keep doing free trials than it is to just have people who are willing to pay and get rid of the "leeches". Same reasoning as the "Pirated copies of Windows are good for microsoft" (market dominance) argument.

CHeck out my drawings!!1 (-1, Offtopic)

Steve 'Rim' Jobs (728708) | more than 10 years ago | (#9669752)

here []
comments/suggestions are most welcomed

Re:CHeck out my drawings!!1 (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9669829)

YOU SUCK! You're a shame to all hentai lovers here!

Re:CHeck out my drawings!!1 (0, Flamebait)

orthogonal (588627) | more than 10 years ago | (#9670154)

CHeck out my drawings!!1... comments/suggestions are most welcomed

Thank you so much for posting this link to your amateurish drawings of Furry [] Hentai [] .

After a weekend of consisting of drinking beer, posting on Slashdot, and not going out on any dates, I was naturally questioning whether I was a pathetic loser who had wasted his life on stupidities.

But after seeing your drawings of women with cow and lizard (or something, your cows and your lizards look pretty much the same but for their colors) heads, expression-less faces, impossible ballooning breasts, and crudely drawn swollen genitals stuffed full of gigantic dildos and tentacles, my depression lifted and I felt once again a real satisfaction in my life.

I realized that no matter how much time and potential I've frittered away in my life, no matter what mistakes I've made, nothing I have done is so pointless, lacking in artistic merit, or symptomatic of an inability to relate to women as other than dumb animals with giant boobies and gaping genitals, as the "art" work you are so deluded as to be proud of.

Once again, the internet has served its real purpose: to show, by the great diversity of its most dismal and fetid and stunningly pointless depths, that most of the rest of us are by comparison, balanced, happy, contributing members of society.

Thank you once again for making me -- and I'm sure legions of others -- feel better by displaying just how useless your life is. You are truly a holy martyr to the cause of human joy! Christians claim Christ for our sins, but you have outdone Jesus: you live for your pointless Furry obsession, and in so doing enrich all lives around you merely by comparison!

I salute you sir, for the happiness you bring to the world by allowing the rest of us the relaxing pleasure of some thorough Schadenfreude!

Mod parent up to bring this joy to all who read Slashdot!

Sign me up! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9669763)

Bill Gates
1 Microsoft Way
Redmond, Washington, USA

Please give me the username of "MoneyBag$" and a password of "Lotus123" and keep it secret just between us OK?

What I'd have to know to use it: (5, Interesting)

Qzukk (229616) | more than 10 years ago | (#9669775)

First, does it keep track of where I've used it? If so, then I want this used in my favor by allowing me access to this log to ensure that my identification has not been compromised.

Second, can site A find out that I also use site B?

Third, is there any more information stored than my credentials? (for example credit card #s, SSN etc.) Not only that, but will sites use this as a key for tracking additional information? (perhaps you should consider returning an "identified" or "not identified" response, with no additional information.) (Sites that keep my CC# without giving me a way to delete them piss me off. This means you, Amazon, you and your collection of every expired CC I've ever used there.)

I think thats a pretty good start. That pretty much covers my privacy concerns as well as exploit/misuse concerns.

Re:What I'd have to know to use it: (4, Informative)

ngunton (460215) | more than 10 years ago | (#9669856)

The answer is No, there is no tracking. All it does is store encrypted data that only you can read, and you can pass tickets to other users which are also encrypted (and can only be read by that user). So this is really not a distributed login system, or a tracking system, it's just a way of confirming that someone is who they say they are. See the White paper for details.

Re:What I'd have to know to use it: (0)

Anonymous Coward | more than 10 years ago | (#9670220)

> Sites that keep my CC# without giving me a way to delete them piss me off. This means you, Amazon,
> you and your collection of every expired CC I've ever used there.

You offend Amazon for no reason here. They are one of the few who really did this part right.

They save you CC# encrypted on their server and the key is stored on your local computer in a cookie.

And this has two big benefits.
A: If you delete the cookie they won't have a way to decrypt your data.
B: If their server is compromised an intruder will only get useless encrypted data.

Sure you never can ultimately trust them that they say the truth.
But there is hope.

Privacy (0, Redundant)

mboverload (657893) | more than 10 years ago | (#9669777)

Although I am sure you are an upstanding, smart guy, how are people going to trust you with their personal information?

Centralization (5, Insightful)

prichardson (603676) | more than 10 years ago | (#9669784)

Doesn't the idea of a central registry defeat the purpose of the internet anyway?

The internet was designed so any number of nodes could go offline and all the other nodes could still talk to each other. This has largely been kept true, even in the application layer, where your stuff would be taking place. I think that requiring a central database for people to use to register for websites would be unwise.

Also, you have any number of privacy concerns here. Do you really want a database of everything that everyone registers for? Do you want it to be possible for your boss to find out that you subscribe to an atheist news letter of he's a hardcore christian?

Re:Centralization (1)

YankeeInExile (577704) | more than 10 years ago | (#9669824)

While the OP clearly has "a" site now with his test code, there is absolutely no reason the system could not be expanded to dozens or hundreds of autonomous entities each offering verification of identity.

Re:Centralization (2, Funny)

Uncle Gropey (542219) | more than 10 years ago | (#9670000)

Do you want it to be possible for your boss to find out that you subscribe to an atheist news letter of he's a hardcore christian?

I'm trying to imagine what an athiest newsletter might have to say every month...

"Supreme Being: Still Made Up" or something like that?

Re:Centralization (1)

handslikesnakes (659012) | more than 10 years ago | (#9670235)

No, more like "101 Ways to Tell Religious Jerks to Piss Off".

White paper, meet urine bleach! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9669789)

Neil Gunton Vs David Blunket, who has the greatest vision for compulsory ID?

Looking at the whitepaper (1)

autopr0n (534291) | more than 10 years ago | (#9669798)

Simplicity - the service should be simple and easy to use, so that your average non-geek can use it without having to care about encryption, PKI infrastruction, digital certificates or other arcane knowledge.

Yeah, that infrastruction. A real bitch.

Seriously, though. You seem to be thinking of people mailing notarized passport photocopies!? Yeah right. The vast majority of FRR sites only want to know their advertising demographics and do some geotargeting (also with ads). They don't need to know your SSN or even care. As long as 50% of the people respond truthfully, they're fine.

your system just sounds like a huge pain in the ass. It'll go nowhere.

how do i know (4, Funny)

deft (253558) | more than 10 years ago | (#9669799)

you really are the owner of this website?

Re:how do i know (0)

Anonymous Coward | more than 10 years ago | (#9669970)

Yea. Who the heck is Neil Gunton? What
duty does he have to keep this information
private? He's getting birthdates and other
personal information. What is he going to
do with it? Does he have insurance? If
his computers get stolen and I get my personal
information nicked, can I make an insurance

The whole thing sounds like a nice idea, but
I don't know Neil Gunton, and I don't have any
reason to trust him. It's not that I think he's
a bad person or trying to trick me. It's just
that I don't have *RECOURSE* if Neil's computers
get stolen and I end up the victim of ID theft.

Re:how do i know (3, Informative)

ngunton (460215) | more than 10 years ago | (#9670004)

The data is encrypted using a password that only you know. The hackers would have to individually break Blowfish encryption on every single user record. If Blowfish is no good then I'll use something else, but the point is that even if the database was totally stolen, it's still no use to the hackers.

As for trust, why do you start trusting anybody? I have to start somewhere. I don't claim to be starting up this thing from my basement and expecting everybody to just send me their life data. This is a prototype, a first attempt to come up with something that I think would be useful to have as a secure place to store your personal information, and a secure way to pass same on to other people. Obviously if it went into production then there would have to be a "real" company or organization, which is precisely the questions I ask at the end of the White Paper. I'm not looking for people's trust at this point, just some feedback on the concept. I really wish more people would actually read the article before assuming that this thing is just another MS Passport.



Re:how do i know (3, Funny)

ngunton (460215) | more than 10 years ago | (#9670022)



Trust (0)

Anonymous Coward | more than 10 years ago | (#9669800)

No one should trust you. You shouldn't trust anyone. This idea might be valuable in someway, but i believe you are trying to accompish what pgp keys are already doing.

always a way to subvert it. (4, Insightful)

Lumpy (12016) | more than 10 years ago | (#9669808)

I dont care what you try to come up with, I bet you $100.0 that within 24 hours I can figure out a way to get multiple user id's on it.

Hell meet the right people and you can get multiple Social Security number, drivers licenses, and passports.

ALL identification systems can be subverted and online ones that do not require a large amount of 3rd party and usually highly reliable data backing up your claims to be you is really easy to subvert.

I tried to find a solution like this over 7 years ago for the company I work for. it is impossible to make a foolproof system and I proved it to the board of directors that trying to do this will only piss off the customers and give us nothing but a false sense of security that really does not exist.

Re:always a way to subvert it. (0)

Anonymous Coward | more than 10 years ago | (#9669822)

Best you can do is fingerprint, retina scans, and DNA. It can be foolproof, but only if you keep people from simply lying. It won't happen.

Re:always a way to subvert it. (1)

NanoGator (522640) | more than 10 years ago | (#9669903)

"I dont care what you try to come up with, I bet you $100.0 that within 24 hours I can figure out a way to get multiple user id's on it."

Are you going to do that just to reuse software once the trial period is up?

Re:always a way to subvert it. (1)

ngunton (460215) | more than 10 years ago | (#9669927)

Sure, you can register multiple times, as many as you like in fact. But in order to be verified in the system, you have to send some kind of documentation. Initially what I've thought of is notarized copies of common documents such as passport, drivers license, utility bills and so on, but that's just a first pass. So you would need to forge all those in order to get multiple verified IDs. Anyway, I talk about this in the Fraud section of the white paper. It's all a matter of risk management and appropriate use.


Re:always a way to subvert it. (1)

Chess_the_cat (653159) | more than 10 years ago | (#9670031)

HAHAHAHAHAHAHAH! I'm going to mail you a notarized copy of my passport? Think again!

Other people who do ID verification... (4, Informative)

Anonymous Coward | more than 10 years ago | (#9669810)

Have you looked at the people? They are basically doing the same thing and issuing digital certificates based on the person and his/her level of authenticity. Since you have to use your drivers license, passport, or something of that sort, its hard to get a second account :-)

Beware of Big Brother... (3, Insightful)

midifarm (666278) | more than 10 years ago | (#9669812)

I typically hate being FORCED to register to use a web site. Furthermore I hate being tracked as I use the site. This idea is just short of installing an always on GPS in my car, oh wait isn't that called OnStar? Furthmore, I think this type OnlineID is intrusive and totalitarian. Beware!


Re:Beware of Big Brother... (1)

ngunton (460215) | more than 10 years ago | (#9669907)

I try to avoid the Big Brother aspect through encrypting user data using a password that only you know. I can't see what you put in the database, unless you want to confirm your identity using paper documentation (which is your choice, and after all is the entire point of the site). Other people can't see your data. The website doesn't act like MS Passport, it's not being used to track anybody or be a distributed login system.


Re:Beware of Big Brother... (1)

ganhawk (703420) | more than 10 years ago | (#9670171)

"unless you want to confirm your identity using paper documentation (which is your choice,"

If the information can be decrypted only by persons holding the key and verification is optional. Is in't it a public repository where people can have a public secure communication channel (think terrorists) ?

Re:Beware of Big Brother... (2, Interesting)

MavEtJu (241979) | more than 10 years ago | (#9669991)

I typically hate being FORCED to register to use a web site.

Nobody is forcing you to look at the information.

But if you need the information, you have to play by the rules of the provider.

Thawte Web of Trust (5, Informative)

Rupan (723469) | more than 10 years ago | (#9669819)

Well, I should think you could write hooks into the free Thawte web of trust system to achieve this goal. Why reinvent the wheel?

Re:Thawte Web of Trust (1)

AndroidCat (229562) | more than 10 years ago | (#9670011)

Isn't Thawte more-or-less a sockpuppet of Verisign/Network Solutions? (To give the illusion of a 2nd choice.) I could be wrong.

online registration (4, Funny)

hawkeyeMI (412577) | more than 10 years ago | (#9669821)

I'll just register with a dummy email address [] !

Privacy policy? (5, Insightful)

MisanthropicProgram (763655) | more than 10 years ago | (#9669838)

I don't see one and this doesn't cut it:
Privacy - users will be entering very sensitive, personal data which they do not want passed on to anyone without their permission. People want to maintain full control over their own information, and not be used as pawns in marketing games
Until privacy is addressed with a lock tight policy, like, "We'll never give out your info." I will never become a client.

Re:Privacy policy? (2, Informative)

ngunton (460215) | more than 10 years ago | (#9669947)

Did you look around at all? There's a Privacy Policy [] which is under the Help section. It's even linked to directly from the front page. And yes, it states pretty much that your information will never be shared with anyone, for any reason, without your consent (or unless required by law, which I guess anyone has to be held to).


Re:Privacy policy? (1)

MisanthropicProgram (763655) | more than 10 years ago | (#9670124)

You should have a link to it on th front page. I don't spend time looking for privacy statements. If there's not a link on the front page, easily accessible, it's not there. Sorry, but I have very high standards when it comes to my information and I don't have time or patience to be poking around people's web sites. Granted, I'm in the very small minority. Most people don't give a shit. Now, if you'll excuse me, I need to put a new tin-foil hat on.

A matter of trust (4, Insightful)

plsuh (129598) | more than 10 years ago | (#9669840)

Nice cut at things, but why on earth should we trust you?

This is not meant as an insult -- it cuts to the heart of the matter. A user is thus relying on you for secure storage of all of his or her personal information, and also relying on you that none of the information will ever leak. This is both leaks to the outside world in general via website spoofs, phishing, and the like, as well as internal leaks where an individual's information is inadvertently revealed beyond what he or she intended (e.g. I only meant to give out my address, not my credit card number).

You would do well to read up on the design documents and white papers from the Liberty Alliance [] . This is a hard problem to solve and simply using a centralized data store does not address any of the real privacy and security issues inherent in the field of identity verification and personal information management.


already being built, it's called the liberty . . . (2, Informative)

Anonymous Coward | more than 10 years ago | (#9669847)

ahhhh, isn't this what the liberty alliance is all about?

Re:already being built, it's called the liberty . (4, Informative)

LostCluster (625375) | more than 10 years ago | (#9670084)

Nope. Liberty is a free project for centralized user IDs... but has no component for the killer app this person is looking for, preventing the same person from using two or different accounts to get treated as a new signup two or more times...

And how the hell... (4, Insightful)

fsterman (519061) | more than 10 years ago | (#9669852)

How are you gonna make sure people don't get another one? "You send in notarized copies of documentation such as passport, birth certificate, drivers license, utility bills etc." Riiiiiight, I got three people in this house that won't be using this thing. Along with plenty of insecure garbages all over town full of utility bills. Even shit like SS# are _VERY_ easy to get. How do you think illegal workers work? With fake SS cards they buy for $50-$100. This is a really useless idea.

I don't like it (1)

Tsugumi (553059) | more than 10 years ago | (#9669862)

There's a bunch of these. The one that springs to mind is Micrsoft's passport, and that got people all worked up. Partly I guess because it was Microsoft, but also because of privacy. Hence browsers with password managers, people seem to prefer that to having one password to rule them all.

Also for one of the stated goals - to ensure that people don't register several times - you need some confirmed data. So either a credit card I guess, or something more intrusive. Just doesn't sound good to me at all....

Re:I don't like it (1)

ngunton (460215) | more than 10 years ago | (#9669975)

Does anybody around here actually RTFA??? What you are saying is totally off-track as to what the website is actually about. Please read the White Paper before springing to conclusions like this.

a) It's not Passport, it's not a distributed login system at all

b) The "confirmed data" aspect is covered in some detail


Re:I don't like it (2, Interesting)

CyberVenom (697959) | more than 10 years ago | (#9670049)

This is Slashdot. You should expect that 95% of the users will not even bother following the link to your whitepaper, especially after you hint that your server may not handle the slashdot effect very well. Some of us just get tired of clicking on interesting links and waiting half an hour for the page to load. Try to anticipate what the major objections and questions of the average Slashdot user will be and include some answers in the slashdot article itself.

Given That... (2, Insightful)

Nom du Keyboard (633989) | more than 10 years ago | (#9669867)

Given that we cannot establish identity completely anywhere else in society short of invasive DNA testing (identical twins beat this one) or fingerprints (already shown to be easily spoofed), why should cyberspace be any different? We're awash in counterfeit identity documents good enough to pass, and sold on street corners for a few bucks and a few minute's waiting. Most IP addresses dynamically change faster than presidential candidates positions on the issues. You might be able to generate a unique PC ID value (e.g. Windows Product Activation), but who doesn't have more than one PC? And there was an outcry against the CPU ID feature Intel introduced a few years back. Besides, often times many people may use the same PC. So with nothing more than a keyboard and mouse at the far end of the wire, you want to know how to uniquely identify a person -- and all without asking for personal information most of us are (wisely) loath to provide.

My solution: Everyone gets an implanted RFID grain with a unique 128-bit identifier + a public encryption key with cheap readers everywhere they will ever need to establish identity. And anyone caught faking an identity goes to jail for life to deter such attempts.

It won't happen. The privacy advocates would be up in arms against this before the ink was dry on the proposal. And someone would still manage to beat it -- though probably very few. Someone will manage to make his ID grain rewritiable, or some such nonsense.

Conclusion: I don't feel this problem is solvable through any measures current society will accept, but I'd love to be proven wrong. I look forward to seeing what solutions are proposed.

Paypal (4, Informative)

Noksagt (69097) | more than 10 years ago | (#9669872)

You've gotten a lot of responses to "use Passport" and the like. Passport, of course, doesn't uniquely identify you--you can easily get multiple passport accounts.

Instead, use Paypal or similar financial services who have an interest in verifying ID. Yes, many have problems with Paypal eating money, etc. Guess what: Most will probably have a bigger problem sending YOU their personal info & paypal already has a lot of personal info.

Just make users send you the send you the smallest amount possible as pseudo-micropayment. And/or send THEIR paypal account some small amount. That will probably be cheaper than doing verification yourself.

Re:Paypal (1)

YankeeInExile (577704) | more than 10 years ago | (#9670067)

Maybe this is where to start -- not necessarily with PayPal, but the idea of distributed "identifying entities." Rather than spending your time on a site for registration, design an infrastructure that allows entities who do know with some certainty who I am ( say, the Instituto Nacional de Migracion, who handle my residence visa, or my banker who handles my money ) to allow me to issue these same identifying tickets to other parties.

Be like BASF "We don't make the identity database. We make the identity database better."

In many ways we do have that with, at least in the US, credit cards -- A web site can do a $1 auth and then never deposit the frank, and they can be reasonably certain that that user is John Q. Bankcustomer. This of course falls apart as soon as you leave the US.

I have a friend (no really!) who is a major porn addict, and every month he gives me a pile of cash to go put on one of a prepaid debit card that I got for him in his name (itself an interesting exercise). The last stastitic I heard: About 30% of the population of Mexico has a bank account.

Unfortunately... (1)

twoslice (457793) | more than 10 years ago | (#9670072)

Your Paypal account is about to expire....

Evil. (0)

Anonymous Coward | more than 10 years ago | (#9669880)

This is frighteningly similar to Microsoft Palladium's "Nexus" component.

Another possibility (1)

coldcup (15234) | more than 10 years ago | (#9669910)

You could use CAcert [] and their certificates as required identification.

Why moderate this onto the front page? (0)

Anonymous Coward | more than 10 years ago | (#9669920)

Aren't there anymore naked anime casemodded mp3 players out there today?

Testy (1)

The Ancients (626689) | more than 10 years ago | (#9669921) I don't really know how well the mod_perl backend will stand up...

That's what /. is here for. I suggest you count in minutes, not hours.

Re:Testy (0)

Anonymous Coward | more than 10 years ago | (#9670020)

I suggest you count in minutes, not hours
I suggest you count in microseconds, not minutes!

as a customer... (0)

Anonymous Coward | more than 10 years ago | (#9669939)

why do i want to do this?

what reason do i have to send you photocopies of my personal information?

how do i know YOU are who you say you are, more importantly, why do i care?

what is the point of such a registry, what does this registry have to offer that microsoft passport does NOT have, and why does THAT matter to ME?

People only care about things like this if it provides a direct and measurable increase in "quality of life" (tm) anything less than that and you are going to end up with about 30 people total who are willing to do this (on earth) and not many more.

to sum it up, what is the point?

Re:as a customer... (1)

AndroidCat (229562) | more than 10 years ago | (#9670036)

What happens when you send someone photocopies of identification and they use those to claim that they're you?

It's like the unbreakable toy: you can always use it to break other toys.

I hate ti drive the nails in the coffin, but... (2, Interesting)

Brane2 (608748) | more than 10 years ago | (#9669944)

this is really stupid. Autor states that electronic signig and autentication never really caught on with geeks, but for some reason, he thinks that just about everybody will be thrilled with his implementation. What a great concept ! Have your vital info notarised, scan it,s end it around etc... Yeah! What an imoprovement over PGP etc, where you simply send a few tens of bytes of your public key... Not to mention the smallish issue of the security of that central authorisation point. While the official key registrars have to be secure places, they are not strictly centralised. If AL-Quaeda guys nuke one of them, no big deal for the rest of correspondents. They would just use some other registrar. Besides, those places hold encrypted data, so they can be blown up, but getting intel out of them is not very probable. NEw scheme tries to be PGP Lite, just for cheap/free online services, but I don't see where the Lite part regarding implementation comes in...

Trust, and the 'trustworthy computing' (3, Interesting)

ONU CS Geek (323473) | more than 10 years ago | (#9669976)

I can only see where this is going.

First of all, if you're really worried about people abusing a trial service, maybe you could track things via IP, or, even subnet masks. If your application is specific enough (or just geared to one industry in general), try doing the "Thanks for requesting information, we're going to *MAIL* you your login information the next business day." do I as J6P know that you're going to handle my data correctly? No matter how many times you tell me on your website that you're handling my data in a secure fashion, I can't actually see it. Am I suppossed to just trust that you'll keep my information away from everyone? Including yourself, your marketing droids, and maybe the FBI should they come knocking on your door?

If you or company are worried about people abusing a trial service...well, get over it. It's bound to happen, no matter how you try to stop it. Just use common sense (don't allow signups from Open Proxies, maybe ask for a credit card number if you're looking for a paid service in the future), and realize that you're going to have online 'shrink.' Every company has shrinkage...why should an online company be any different?

I can only see where this is going in the "trustworthy computing" area. In order to get a computer, you're going to have to show your computer maker an ID, they'll seal your computer so you can't install devices (they'll send a technician out to do it), and tell you what you can and can't do with your data, your time, and ultimately, your hardware.


GPG (1)

BlackMagi (605036) | more than 10 years ago | (#9669978)

Isn't that what GPG is for? Oh, I get it, you're hooking up an online identity to a real one. Well, that's kind of what a domain name is. If we had free personal domains, administered by someone politically neutral, that would all be a solvable problem. I haven't looked into your site, but I understand what you're talking about, and yes it would be a useful thing. It's the kind of thing that could defeat spam, fight evil and be generally useful. I think it could be strapped together by encouraging companies to mutually trust eachother's employees at the mail server level etc until it became so obviously useful everyone wanted to do it... Cheers, -BM

Re:GPG (1)

bcrowell (177657) | more than 10 years ago | (#9670091)

If we had free personal domains, administered by someone politically neutral,
I'm not convinced that there's "someone politically neutral" who wants to run this kind of thing as a charity, and a for-profit entity could be just as bad.

Isn't that what GPG is for?
Here I agree with you more. The only non-authoritatian way to establish an online identity is some kind of web of trust.

Funny coincidence: I first saw this article this afternoon, and thought, "Useless idea, who needs that?" Then I checked the logs on a web site I run (see my sig) that catalogs free books and accepts user-submitted reviews. Seems that someone had listed his own book (which wasn't actually free at all except for a teaser in MS Word format), and then written his own review. He actually hadn't tried too hard to hide his identity, but it does point up the fact that there really are cases where one might need this kind of system. And if the bearded hacker community doesn't produce it, you can bet MS or governments will.

BTW, guess what I did with the phony review? Yep, I deleted the book from the database (well, it didn't actually meet the criteria anyway, since it wasn't free), deleted the review, and deleted the user's account. In other words, I acted authoritarian. The alternative to a user-id system is not necessarily a utopian, anonymous internet.

ah ha! (1)

B3ryllium (571199) | more than 10 years ago | (#9669982)

I would also like to see an Online Eye Dee Ten Tee Registry.

fagoRz (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9670028)

other members 1n leaving core. I

Why? (3, Insightful)

max born (739948) | more than 10 years ago | (#9670030)

Nice idea, Michael, but why would I want this?

What problem does it solve?

I already do online banking, shopping, bill paying, etc.. What additional service could I get from registering with you?

Is it a harvester or not? (1)

Maljin Jolt (746064) | more than 10 years ago | (#9670052)

Before I sign to OnlineRegistry, I need to verify that Neil Gunton is a real and believable person. This 'project' may as well be a spammer's (or scammer's or CIA's or whoever's) clever method of harvesting identities.

Any ideas how to verify a real identity of Neil Gunton?

Re:Is it a harvester or not? (1)

CyberVenom (697959) | more than 10 years ago | (#9670080)

Well, he seems to have a Slashdot account, and we all know how well Slashdot verifies its users, so of course you can trust him!

So Let Me Get This Straight... (1)

osmethnee (717516) | more than 10 years ago | (#9670076)

You solved the problem of people doing multiple registrations for a *free* trial by introducing a system where I have to get a notarized copy of my passport and then *pay you to process it*? I am wildly unconvinced the author of the original article has any idea what problem he's trying to solve... In short: show me a problem, show me a solution, and do us all a favour by having the two match up.

Problems (1)

xihr (556141) | more than 10 years ago | (#9670083)

The main problems are that this just shifts the point of failure (or deception or fraud) to third parties. Instead of you yourself lying about your identity to someone over an insecure communications system, now you're dependent on whatever procedure people identify themselves with to this registry. Ultimately someone at the registry has to examine the documents submitted by someone and decide whether or not it's legitimate (and thereby mark the user as verified). How can he managed to never be deceived? One mechanism mentioned is photocopies of documents (photocopies are notoriously easy to manipulate) and a notary public -- but how do you know that the notary public isn't working for the bad guys (after all, it's not like it takes a huge amount of effort to become a notary public)?

Ultimately there's going to be an issue of liability. You cannot guarantee 100% reliability, and so you're going to get sued whenever someone who is mistakenly verified by the system defrauds someone else. Do you really want that?

Sounds like the Patriot Act ... (1)

cool_st_elizabeth (730631) | more than 10 years ago | (#9670097)

but answerable to ... absolutely nobody. Be afraid. Be very afraid ... oh on second thought, just don't ever register there.

Shaky (1)

trifakir (792534) | more than 10 years ago | (#9670100)

Yet another self-appointed notary. I don't get the point of how the "registry" and the public CA scheme would work in tandem? Or is it just an interface?

The security of the whole thing seems extremely low. If you want to do something like that I suggest that you consider some zero-knowledge techniques.

Go, fetch a copy of Bruce Schneier's Applied Cryptography, but you've probably already done this. Just open the right page, then (503).

In Finland banks do this (2, Interesting)

rraton (660528) | more than 10 years ago | (#9670108)

Here in Finland every bank offers sign-in with your bank web-account-id, and the protocol (TUPAS) is standardized here in finland by a central authority (Pankkiyhdistys), so that when you include this authentication system to your application, with the same effort, it works with all the banks (and potential customers). Allmost all the transactions and bill paying is done electronically in web-banks here in Finland, so almost everybody has these id's already. The bank authenticates the user at the local office, so It really works.

You receive the users's social security number and other important information, and the protocol can be customized for companies to give custom information too.

So I think this system (topic) is quite useless. It really needs some authority to trust.

Do you have this kind of stuff?

Re:In Finland banks do this (2, Funny)

trifakir (792534) | more than 10 years ago | (#9670139)

"Pankkiyhdistys" is going to be my next password.

go for it (1)

Doc Ruby (173196) | more than 10 years ago | (#9670111)

Forget verification. Filling in endless registration forms for come-and-go websites is a prohibitive barrier to massifying web commerce. Just implement a database of records with unique IDs, and suffixes for levels of info disclosure, and people will use the IDs in a single registration field all over the web. It's like M$ passport without the onerous security infrastructure. If you presign a giant damages agreement in the event someone proves you've divulged their info against the license you've gotten from them, they might even trust you.

For Profit? (2, Informative)

ElDuderino44137 (660751) | more than 10 years ago | (#9670152)

"Should it be for-profit or non-profit?"

Hey There,

I would suggest you go with a proven business model.

Should be "non-profit".

Just make sure that you patent the idea.
Don't tell anyone about the pending patent.
Work as part of a standards group to gain wide acceptance.
Wait 3-5 years.

Now what's the phrase I'm looking for?
Damn the torpedoes?
Up periscope?

Surface that submarine ;)

--The Dude

Verisign? (1)

HoleNdaBitBucket (667995) | more than 10 years ago | (#9670189)

Verisign attempts the same thing, but in reverse. I (Mr. Website Owner) purchase a "certificate" from Verisign. Depending on how much I pay, they perform certain types of verification, certify my server's identity, and "people will trust [my] site". Truth is, folks don't typically care if I purchased the certificate from Thawte for $25 or from Verisign for $500; they care that the transaction is encrypted, that they didn't get a security warning, and that my site has not developed a negative reputation (notice I didn't say "has developed a positive reputation").

You idea seems opposite: are sites interested in identifying their customers more assuredly? Well, if so, Verisign also has services it offers for certifying individuals -- but I've never run across a site that requires such strong authentication. I don't think there's tremendous demand for a third party to provide that authentication. Although your implementation may be technically different, there's still little demand for the concept.

I think you've put some valuable thought into some protocols and algorithms that others have devised (Translucent Databases, Applied Cryptography) and designed a concrete implementation. Now, go and create demand for the product.

Stupid question... but.... (1)

visionsofmcskill (556169) | more than 10 years ago | (#9670197)

why would i give you, or anyone for that matter... my personal information..

and why on gods green earth would i spend the time to SEND you NOTARIZED ($$) copies of my UBER-private documents (step #3 on his page)...


a "free trial" or "free registration"?

through a third-party.

no way... im too lazy to give my lawyer those documents in an orderly fashion... much less for a free trial to mens life online magazine.

Economics matters more than CS here (2)

RyanMuldoon (69574) | more than 10 years ago | (#9670236)

One of the main problems that I see in identity/privacy/security issues at the moment is that people are convinced that there is a purely technological solution. That's just false. One thing you will have to consider is how much it is worth it to someone to cheat, what are the initial costs of getting an identity, and what are the costs to a discovered cheater. If the benefits to cheating outweigh the costs at all, then you lose. If there is money to be made in cheating, someone will find a way to do it.

Secondly, you as an individual (or a small business) will never be able to run this service. The insurance cost alone has priced you out of the market. You are providing some degree of certainty above the status quo that people registered with you are who they say they are. That has significant value, at least linearly related to number of users. Which means insurance prices would be huge. This is a business most naturally suited to an insurance company, not a technology company or an individual.

Finally, why do you claim that centralization is necessary? We barely use this in real life. Birth certificates don't come from a central authority - they come from towns and hospitals. Driver's licenses are issued by states. Credit cards are issued by banks. Student IDs are issued by universities. Even these things that we consider centralized are decentralized. Our more informal relationships are completely decentralized. A web of trust more accurately reflects our relationships, not a hub with a bunch of spokes. Why would you want such a huge single point of failure?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?