How Hard Would This Be?
Before I dive back into the report due TUESDAY (!) I’d like some advice from an application developer or some such type.
How hard would it be to develop a software application to run on PCs, notebooks, etc., etc., whose sole purpose in life would be for me to manage my identity? (Er, why would I trust anybody else to do this?)
1. I enter the details I want one time (except when they have to change)
2. I mark the details as public, semi-public and private
3. It outputs the data (after I have explicitly given permission) in a published XML schema
4. It is encrypted (or encryptable)
5. The schema is published publicly
6. Organisations can apply to the application developer for a daily key
7. Organisations can validate my identity with a rating following transactions (maybe stars, the way Amazon rates books with a place for automated comments. ‘We delivered books to this individual’s address on this date with no identity problems encountered.’)
8. Comes with tamper alarm
9. I may choose to save at developer’s secure website as a backup
You may say it’s a lot of bother to do it this way. I would retort that it would save a lot of bother for organisations and they would fall all over themselves to adapt to it.
It could be packaged into an existing computer protection package, ala Norton… or it could be an Open Source project developed by those concerned with related issues.
Why would I trust someone else with managing my identity?
July 7th, 2007 at 7:46 am
See the argument that raged over several years about this feature in P3P, which was removed because of privacy concerns.
July 9th, 2007 at 1:02 pm
Not sure I quite follow all of that (Tamper Alarm??). But there’s a ton of work going on in this area. Here are some starting points:
http://www.identityblog.com/
http://openid.net/
http://www.credentica.com/
http://www.eclipse.org/higgins/faq.php
July 13th, 2007 at 12:46 pm
I think there are two problems here.
1) Any identity software, even software you run on your own machine, has to be thoroughly secured. Verifying that is a constant problem. Also, one problem with security hosted on user’s own machines is the sort of problem we have now with raging spam: most users are not capable of securing their own machines. (Plus you have the ancillary problems of authenticating who used the machine when x crime was committed, or gaining access to systems when Aunt Myrtle dies and no one knows her passwords).
2) Banks and other organizations do not trust users. Nor do they seem to understand that today’s world requires two-way authentication. They believe *they* need to control user identity so they can be sure they can trust the system. So even if you have an identity system on your machine, to do business with others you’ll wind up having to use their systems. So instead of simplifying things you’re complicating them.
Unless I’ve misunderstood what you’re driving at. But this is a problem that, as Ian says, a lot of people are trying to solve. I think the significant problems are cultural and organizational rather than technical.
wg