Click the comments link on any story to see comments or add your own.
Subscribe to this blog
12 Jun 2005
The more I think about what identity means in the on-line world, the less I think we're doing a good job with it.
Most on-line identity systems are set up to prove that you're the same person you were last time. For a lot of kinds of e-mail, that's fine, the first time you get mail from someone you can decide pretty quickly whether it's mail you want, and add the person to a whitelist or blacklist. When more mail arrives from the same person, you read it or throw it away.
A more subtle but probably more important kind of identity is proving that people are who you think they are. There's a lot of identity verification that we do in day to day life that doesn't carry over very well into computers. For example, I grow and shave off a beard from time to time. My driver's license picture doesn't have a beard, but people who look at it and at me have no trouble figuring out that even with the beard, it's close enough. Face-to-face, we're good at telling what details matter and what details don't. Online, we aren't. I use a lot of different e-mail addresses, both to keep mail for different roles and jobs separate, and to track mail from correspndents I don't entirely trust, like on-line stores that demand an address when you order something. It's extremely tedious to explain to security software that all of these addresses are equally me, they're just different whiskers. At the least, I need to enter all of the addresses into whatever software creates and verifies certificates, or worse I have to keep a certificate per address and fish out the one that matches whichever address I'm currently using. That rapidly becomes more trouble than it's worth.
Sometimes the exact identity of a person or organization isn't as important as identifying them as a member of a group. For example, when you're looking for a policeman, any real policeman will do, but almost-policemen such as security guards won't. When I want to cash a traveller's check (or these days more likely get a cash advance on my Visa debit card), I need to find a bank but it doesn't much matter which one. Banks are easy to identify, since they have tellers, a vault, and an FDIC sticker on the window. Again, it's not hard to figure out whether a person or an institution is part of a category, using cues so familar that we often don't know what they are.
This sort of category identity is if anything more important on-line than it is in day to day life. If I get e-mail from CITIBANK-ACCOUNTS.COM, is it really about my account at Citibank? Nope. As spammers and phishers have found, there's an unlimited variety of names that are enough like well-known names to fool people. Current signing schemes like SSL don't help, because they can assure you that mail from CITIBANK-ACCOUNTS.COM or the web site WWW.CITIBANK-ACCOUNTS.COM is really from the owner of the domain CITIBANK-ACCOUNTS.COM, but they don't tell you whether that's Citibank.
The obvious solution is industry specific certification. Banking should be the first industry to do that, both because (in the US at least) there is a clear definition of who's a bank, S&L, credit union, or whatever, and who isn't, and because, well, banks have all our money.
There's two ways one might do the certification. The first is a certificate signing agency, sort of like Verisign and the other agencies that do SSL signing now, but just for banks. The signing part would be technically straightforward to set up, but the hard part would be branding, telling consumers that if it doesn't have a Golden Dollar Sign seal, an e-mail message or web page isn't from a real bank.
The second is an industry specific top-level domain. There are some so-called ``sponsored'' TLDs now that restrict registrants to particular industries, including .museum, .coop, .aero, and .pro. So far, the sponsored domains have all been complete failures. Most of them saw the domain as a marketing gimmick, and provided nothing of value to the registrants that they wouldn't get from the domains they already had in .com and .org. For the most part, security and trust in their domains isn't an issue. (``Oh, no, what a fool I was, they said it was a co-op, but it was really a producers' collaborative!'')
The .pro domain is different. It's supposed to be for licensed professionals, doctors, lawyers, and accountants. Applicants have to verify their credentials at registration time, and they say they'll provide SSL certificates with each registration. Unfortunately, .pro seems permanently stuck in the pre-start-up phase and it has as far as I can tell, no registrants at all yet. Too bad, since it would be nice to be able to depend on mail from my accountant coming from pwc.cpa.pro, ey.cpa.pro, deloitte.cpa.pro, or kpmg.cpa.pro, and be confident that a .pro address isn't a creative phisher in Romania.
Would it make sense to set up .bank, overseen by the FDIC and other bank regulators, with registrations limited to regulated banks and similar financial institutions? Heck, yes. I don't understand why they haven't done it yet.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.