Certified Identity

Session Topic: Certified Identity (TH5H)

Convener: Sid Sidner

Notes-taker(s): Amanda Anganes

Tags for the session - technology discussed/ideas considered:

Reputation, certification, verification, claims, attributes

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Origin documents

Building up credit/reputation – takes time, build up credit history with multiple OK transactions => creates trust

Story from Sid about getting TS security clearance - $20,000 from company, lots of investigators working, expensive process but in the end having clearance makes Sid more valuable – tons of job offers immediately after

FB has said they want to be a “real ID” service
 * Self-attested info more reliable?

Check info – email addr must not bounce, mailing addr must be real (check w post office)

“Real ID” drivers license suggestion – turned down, too much work for DMV

Idea: suppose services could vett attributes – make claims, giving you a badge to show certified attr. on your FB page

Is this valuable?

Chaining ID forms / verification

Over time, value of badge could accrue – I have been certified with X for 5 years, etc

In Finland, Nils (last name?) created ID badge for FB linking your page to national ID – worked, but FB changed app model and it couldn’t be used anymore.

On FB certification doesn’t matter so much – social links provide verification of your ID

On LinkedIn, more useful – verify employers, etc

Mechanics are complicated – security, authorization of asserting parties

One different idea is that of an Oracle – doesn’t directly release your info, but can answer questions like “is this person over 18?” Not what is being suggested here.

Some use cases:

Verify user is over 18 before visiting certain websites, or over 21 to purchase alcohol online

Verify user is a real person for online dating sites

Verify employer history on LinkedIn/resume

Proves there is value in such a service.

Idea here is to validate claims – not necessarily focusing on proving you are you; that is another problem
 * Universal ID – Netherlands national ID w/card reader, generates passwords/keys
 * Predict that in 2-5 years US will adopt same model, but until then not useful
 * Whatever is used needs to be ubiquitous
 * This is still a hard problem
 * Names are not unique identifiers

Money is not in proving that you = you, but in proving certain attributes assuming you = you has been proven sufficiently.

Organizational ID an be “proven” with domain email or social network

Idea – extend that to organizations, not just people
 * This FB app really does come from org X, I can trust it

2 schools of thought – iPhone vs Android apps marketplace

Where does the value of this live? Person pays or organization/application pays? To whom is it more valuable?

Who is the customer? In some cases may be more valuable for RP or asserting party.
 * Alcohol example – if store is liable for selling to underage person, store wants to pay for certification check.
 * For credit/bank cards, more profitable to put through possibly invalid transactions – only brings more $$ to company.

In real world we do both depending on context – company pays for security clearance; you pay for your drivers license.

Some companies are doing this already to a small extent – Amazon “real name” badge, Paypal “verified seller” badge.