Certified Identity
Session Topic: Certified Identity (TH5H)
Convener: Sid Sidner
Notes-taker(s): Amanda Anganes
Tags for the session - technology discussed/ideas considered:
Reputation, certification, verification, claims, attributes
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Origin documents
Building up credit/reputation – takes time, build up credit history with multiple OK transactions => creates trust
Story from Sid about getting TS security clearance - $20,000 from company, lots of investigators working, expensive process but in the end having clearance makes Sid more valuable – tons of job offers immediately after
FB has said they want to be a “real ID” service
- Self-attested info more reliable?
Check info – email addr must not bounce, mailing addr must be real (check w post office)
“Real ID” drivers license suggestion – turned down, too much work for DMV
Idea: suppose services could vett attributes – make claims, giving you a badge to show certified attr. on your FB page
Is this valuable?
Chaining ID forms / verification
Over time, value of badge could accrue – I have been certified with X for 5 years, etc
In Finland, Nils (last name?) created ID badge for FB linking your page to national ID – worked, but FB changed app model and it couldn’t be used anymore.
On FB certification doesn’t matter so much – social links provide verification of your ID
On LinkedIn, more useful – verify employers, etc
Mechanics are complicated – security, authorization of asserting parties
One different idea is that of an Oracle – doesn’t directly release your info, but can answer questions like “is this person over 18?” Not what is being suggested here.
Some use cases:
Verify user is over 18 before visiting certain websites, or over 21 to purchase alcohol online
Verify user is a real person for online dating sites
Verify employer history on LinkedIn/resume
Proves there is value in such a service.
Idea here is to validate claims – not necessarily focusing on proving you are you; that is another problem
- Universal ID – Netherlands national ID w/card reader, generates passwords/keys
- Predict that in 2-5 years US will adopt same model, but until then not useful
- Whatever is used needs to be ubiquitous
- This is still a hard problem
- Names are not unique identifiers
Money is not in proving that you = you, but in proving certain attributes assuming you = you has been proven sufficiently.
Organizational ID an be “proven” with domain email or social network
Idea – extend that to organizations, not just people
- This FB app really does come from org X, I can trust it
2 schools of thought – iPhone vs Android apps marketplace
Where does the value of this live? Person pays or organization/application pays? To whom is it more valuable?
Who is the customer? In some cases may be more valuable for RP or asserting party.
- Alcohol example – if store is liable for selling to underage person, store wants to pay for certification check.
- For credit/bank cards, more profitable to put through possibly invalid transactions – only brings more $$ to company.
In real world we do both depending on context – company pays for security clearance; you pay for your drivers license.
Some companies are doing this already to a small extent – Amazon “real name” badge, Paypal “verified seller” badge.