[Dave Birch] I was in a meeting today discussing some ideas for introducing a sort of trust service, that could fit in a framework along the lines of NSTIC but as a commercial proposition. You know the general idea: a private-sector, for-profit issuer of trust identities. The customer and the segment aren’t relevant (and I wouldn’t tell anyway), but I wanted to reflect back something I was thinking about the market. The idea that I was involved in exploring assumes, as do many similar ideas, a “two-sided market”.

In this market paradigm users and relying parties both interact with each other with the help of a platform. The platform (e.g. single players like Facebook/Google/ Paypal/etc or a network of cooperating parties) optimizes both the proposition towards users and the relying parties. The relying parties are business (including banks) and governments, all with clear business needs: relying parties achieve better e-services for their customers and lower cost of operation… If there is value, a market can come and the growth will come by itself when the trust is organized properly. It’s just a matter of getting the industry act together.

[From Innopay – Payment Consultants – home]

The problems that “e-identity” businesses might try and solve fall into the this two-sided (aka “chicken and egg”) structure, and this has so far proved a barrier. This isn’t because there aren’t problems to solve: here’s some examples of how straightforward the business problems are.

  1. I wanted a new credit card from a UK card issuer and I couldn’t use my Barclays Bank “identity” to get it. Surely this should be one of the simplest problems to solve? I just called John Lewis to find out why a chip and PIN transaction in Waitrose had been declined (a problem with the network apparently) and it took me longer to “log in” than to deal with the issue: I had to punch in my card number, date of birth, last 4 digits of phone number and then when I got through to person I had to give my name and the first two letters of my secret word. Surely card number followed by CAP/DPA OTP is all that is required?
  2. I can’t use my Barclays identity to log in to Barclaycard.
  3. The British government presumably trust Barclays, since they regulate them, but when I log on to sort out taxes or get my car tax I have to use completely different username/password combinations (ie, no security) instead of just linking my government “identities” to my Barclays identity for authentication purposes.

So despite having all of the technology already in place and deployed, there is no functioning two-sided market. I wonder if it’s because it’s just too complicated to either explain to senior management or make it accessible to the general public?

For the market to work, it’s pretty clear what we have to try to explain to the general public: nothing. If the pubic have to do anything at all, it will all go wrong. Here, we are not even close. Not even close.

I routinely use Pretty Good Privacy (PGP) and SMIME to secure e-mails and file transfers. Yet frequently, even somewhat knowledgeable IT security people get confused about which keys to use when. In order to for someone to send me encrypted content, I need to send that person my public key. Similarly, I need the recipient’s public key so that I can send him or her encrypted content. We should never share private keys. That’s why they are called private. Pretty simple — or so you would think. More often than not, if the person isn’t overly familiar with PGP/SMIME, even if they’ve been using it, they send me their private key. Being the good citizen that I am, I delete their private key and ask again for their public key, explaining that with their private key, I could be them, for all digital purposes. About half the newly educated group then sends back my public key back or, if they’re using PGP, their private key ring, which contains all their private keys. You might think that I’m making this stuff up, but it’s pretty much been this way with PKI and PGP exchanges since they were invented. PGP’s own Phil Zimmerman has often written on this subject.

[From Don’t trust a public PC with your digital identity | Security Central – InfoWorld]

If this is how a leading expert is experiencing the infrastructure, there is no chance of using it to solve real-world problems. All of the PKI has to be under the hood (as it is with EMV “chip and PIN”) so that customers just learn that — for example — when they log into any government application, they give their NI number (which isn’t secret) and then wait until they get a message on their phone asking them to enter their passcode. Seriously: we can’t go for anything more complicated than this, which seems to me to be another argument for moving toward solutions based on mobile phones.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: