[OpenID] Real Identity Verification

Nate Klingenstein ndk at internet2.edu
Tue Nov 4 06:06:04 UTC 2008 

Rebecca,

There are definitely a few providers that have attempted to tie a  
real-world identity to an OpenID, particularly in Japan, but they are  
very much in the minority.  Nevertheless, a market could build around  
this if there were a strong demand for it.  They don't exist today,  
but given proper incentive with services like yours, they certainly  
could.

The more fundamental problem is that the specs as they stand just  
don't really support strong authentication.  No matter how good nor  
bad the identification verification that's done at the OP, the  
inherent lack of any defined trust fabric makes it really hard to get  
that trusted identity to the RP with any degree of assurance.

There are a couple proposals in the works right now to address this  
shortcoming.

One of them is called PAPE, which offers the ability to self-assert  
how good a job you do with identity verification.  It primarily  
focuses on the quality of authentication, and not the quality of the  
identity checking, though it could be used for both and indeed  
references some NIST specifications that encompass both.  You can  
have very strong authentication to a weakly checked identity, or vice  
versa, but the quality in the end is generally capped by the lesser  
of the two.  This is in public review right now.

The other one is provisionally called TX, which attempts to associate  
a contract with a particular transaction.  I personally think it's a  
key area with a lot of work to be done.  I don't agree with the  
fundamental approach in the current proposal, because the part that's  
signed is not strongly bound to any attributes or identities that are  
passed.  It's a bit organic.  Others will probably have different  
views.  Something in this space is a key future addition, though.

A final place work needs to be done is the establishment of broad  
trust structures that operate multilaterally, allowing these above  
trust handshakes to scale.  We do this now with a structure called  
federations (ours being InCommon, for the higher education and  
research space in the US), but it's not clear whether these will  
ultimately scale.  Reputation services are another idea here that  
remain in the sketch stage.

If you're operating with a small set of strongly trusted OP's/ 
identity sources, you can handle all this trust out of band.  If you  
want a solution that works in band using the OpenID protocols  
themselves, you've probably got a while yet to wait.

Take care,
Nate.

On 4 Nov 2008, at 05:10, Rebecca Cannon wrote:

> I'm researching a new online service that I will be building. I  
> want to use Open ID, however we're going to require real-world  
> identification verification, as the service will have legally  
> binding information in it.
>
> Just wondering whether open id is being used with real-world  
> identification verification, and what the list's thoughts are on this.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081104/6ffe3488/attachment-0002.htm>

More information about the general mailing list