Following on from my earlier Treo post, I’m at my PC (as I was then, just checking if it worked! :)) and figured it was time to let the cat out of the bag on my wee idea.
Currently there are a number of “trusted” organisations that issue things online. Nominet is a good example. Nominet manage all domains that end in .uk (.co.uk, org.uk, etc). When you register a domain name, they send you a letter which lets you confirm your legal status (are you a company, a person, etc) and then download a certificate if you like. Another good example is VeriSign, a company that issue SSL certificates.
Most people probably don’t know this, but the process of getting an SSL certificate is quite involved. The issuing authority (the company that sell you it) have to be satisifed that you are actually who you claim to be. This can involve faxing a copy of your passport, confirming codes received by mail, confirming codes received by phone, and so on. The rationale behind it is that when you put your credit card details into a web site, you want to be sure you know who you’re dealing with.
This explains a bit of the background to the non-techies out there. Another concept I should introduce non-techies to is that of public and private keys. A strange one to get your head round at first, but it does make sense in the end! Emails, files, credit card details, and so on, can be encrypted using what’s called a “public key”. The public key allows you to encrypt something so that only the person with the matching private key, can decrypt it. This is the basis of most encryption online. You issue a public key to anyone who wants it, they encrypt whatever they’re sending, and then only you can read it.
Ok, so you’ve got the background, well my concept is very simple. If a standard protocol was designed, it would be possible to issue Personal Identity Certificates, similar to SSL certificates, which could be used to confirm your identity online.
As an example, you could visit your bank’s web site (Smile if you’re an ethical, UK consumer) and instead of having to log in, you could use your Personal Identity Certificate (PIC) to verify who you are. Then you could visit your electricity supplier’s web site to check your bill, and again, your PIC would do all the security checking for you.
Then you visit a new web site you’ve never seen before, and they ask you to register. Then you give them your PIC details, and tell your issuing company what information you’d like that web site to see. For example, you could only allow the web site to see your email address and name, not any other information. It could even go a step further, and if you receive an email from that web site, it could come through your PIC. So if that site started spamming you, you could easily revoke their access to your PIC.
The concept is very simple, but it could become huge. It could allow you to legally sign documents electronically. You could apply for a mortgage without having to see any printed paperwork whatsoever. As technology develops it could be linked to biometric information so your fingerprint or retina scan would confirm your identity.
The fundamentals are this:
- Certificates issued by trusted companies
- Individuals identity confirmed by traditional means
- Your data easily accessed by any web site you authorise
- An open standard that anyone can use
I’m not really sure how to promote this idea, so if there’s anyone reading who’s interested, post a comment or drop me an email and let’s get chatting.