December 1999
Being a participant with a verifiable identity has advantages as much as operating anonymously permits privacy. Support for both is provided by the ability to alternate between two modes seamlessly.
The default mode for anonymity requires zero credentials. When credentials are required, the participant must then leave or present the proper level.
The basic modes are anonymous versus identity. Each contain multiple levels with progressively more private information.
Additional levels may be introduced between those presented here. This is merely a starting point.
For anonymous mode, the levels are:
For identity mode, the levels are:
Each record is explained below.
The general idea is to easily provide information requested by site without revealing everything to everyone. Control is at the discretion of users, not the sites.
When a site wants information of the user, this is the order of events.
As a participant wishes to use their system, he/she must authenticate. Any method may be used which is appropriate for the user. The minimum requirements are that a password be used, and if Positive Identity is used, the information must be further protected. Hardware devices such as “smart cards” or ultra high grade encryption of software based must be used.
A user accesses a particular site.
That site requests the client application for a particular record.
The client application shall acknowledge only that the request has been received but answers remain unsent at this time.
The client application prompts the user to acknowledge the information is being sent.
(Lower levels of anonymity may be configured to automatically acknowledge as a matter of user preference.)
A site must ask for a particular record and specific information from within that record.
The client application will present the user with this request as part of the acknowledgement process.
For Anonymity with Personal Preferences, if the requested information is currently missing from the record, the client application should prompt the user to add the question and answer pair. A second prompt should ask whether the user wishes to send this information.
Then, only the items marked by the user would be made available to the site.
Only acknowledged items shall be submitted to the site.
At any time, the user may limit how much information is to be made available to any site. Once information has been made available to a site, it is beyond the user’s control to revoke.
Certain records must be regulated for this to work appropriately. Just as we have state and federal identification, controls should apply to accessibility status and positive identity.
This is similar to the Washington and Minnesota state laws regarding electronic authentication. In order to use certain records, a licensed registration authority (RA) would conduct a vetting process. This ensures an individual is who he or she claims to be to a legally defensible degree.
Verification of such records must then require authentication. At least the content of those specific records should be digitally signed. The signature must come from a certification authority (CA) licensed by states with laws at least as strict as Washington State’s Electronic Authentication Act (EAA).
This is how most people currently use the internet. Web site may log the numeric IP address of request sources. The burden of identification is on the site and service provider.
This is equivalent to a session cookie in browser terminology. That is, the site may cache information on the client for identifying subsequent visits. Such information, however, is lost when the client software is restarted.
This is equivalent to a persistent cookie in browser terminology. That is, the site may store information on the client for identifying subsequent visits. Until the site requests the data to be removed or the user explicitly deletes it, the information will remain. Expiration is optional.
Country of citizenship or other locale information is provided at minimum.
This specifically addresses rating systems including those intending to prohibit children from material suited for adults.
Rather than state the participant’s age, conformity to broader notions are used.
Whether the user would be considered of major age in specific countries or states gets stated. That is, those territories which consider a minor to be anyone under 18 years old would be put into one category, and those considering anyone under 21, into another. The record would state conformity of the user being a minor by each of the criteria independently.
Other information to include is whether you are a resident of a locale which prohibits use of cryptography.
This is literally a check list.
A standard template is used providing an aliasing function. This accounts for locales changing their laws and reduces the amount of data to be listed.
Minimal identifying, however, data is used. Other information could also be compiled, but most would be deferred to the category of marketing interests (and thereby optional). See below.
Absence of this record implies you are completely unrestricted in terms of all appropriate laws. Such a statement is unrealistic worldwide. Sites with certain restrictions should prohibit access to users omitting this record.
This record should be filled by an auditable and licensed certification authority.
This addresses three aspects. First is basic configuration issues. Then, this is the proverbial blinders as much as it may be a lens for rapidly identifying items of interest.
Regarding configuration, consider the following. It’s annoying to set up your workstation then use someone else’s and find all the settings foreign. Likewise for accessing a site, you’ll want certain preferences to be personalized but portable.
The most useful example is setting base font size within a web browser. This would also address differences between implementations and platform dependencies.
An appropriate use would also permit identifying material outside your threshold of interest or taste. Specifically, those who are offended by pornography may note this and be warned upon entering a site.
An abstraction of this accounts for material not suitable for children in terms of psychological impact. For example, a site addressing child abuse may be informative and helpful but is argued whether young children should be shielded of such matters unless absolutely necessary.
Various ratings systems may be supported, but ones which introduce increasing levels of detail or granularity would be best.
Finally, identifying items of interest may be thought of as the converse of a content rating system. Most of the material suited for this area is addressed as marketing interests; see below.
One such item would specify which encryption protocols you prefer to use.
This is as basic and lengthy as any independent marketing survey.
Typical information would include age, income, membership to organizations, product usage, allegiance to sports teams, contact information, etc.
All information in this category must be optional.
Sites may deny access to users omitting this data; however, any such restriction should be addressed so the user may fill in the missing items.
This information is unverifiable by sites.
All information contained within the following records may only be revealed with user acknowledgement.
Most records contain multiple pieces of information. Upon attempted access, the client system must prompt the user for which items to reveal.
Methods of contacting you which may change are listed here.
This record contains e-mail addresses, web home page, direct telephone number, pager, etc.
This is comparable to a VeriSign Level 1 Certificate.
Details of your physical location would be specified here.
This includes postal address, map co-ordinates, telephone numbers, fax numbers, pager, etc.
Some information here may be a duplicate or conflict with items in the previous record.
This record is a digital certificate in itself.
This record must be digitally signed by a licensed certification authority (CA) conforming to the State of Washington’s EAA or similar law.
The content of this record must be minimally validated. Proof of receiving postal mail at the specified address, telephone service bills, Internet Service Provider bills, etc, must be presented to the CA’s registration authority (RA).
This is comparable to a VeriSign Level 2 Certificate.
Identification of an individual must be legally defensible.
This record is a digital certificate in itself.
Use of this identity is for things like signing a shipping bill when a package is received. Wherever use of initials are provided for in paper documents are other examples of application.
This record must be digitally signed by a licensed certification authority (CA) conforming to the State of Washington’s EAA or similar law.
Multiple forms of identification must be presented to the CA’s registration authority (RA) when obtaining this certificate.
This is comparable to a VeriSign Level 3 Certificate.
Identification of an individual must be legally defensible.
This record is a digital certificate in itself.
Use of this identity is for things like signing a petition, vendor comment card, or other non-binding documents as far as the law is concerned.
This record must be digitally signed by a licensed certification authority (CA) conforming to the State of Washington’s EAA or similar law.
Multiple forms of identification must be presented to the CA’s registration authority (RA) when obtaining this certificate.
This is comparable to a VeriSign Level 3 Certificate.
Identification of an individual must be legally defensible.
This record is a digital certificate in itself.
Conformity to laws of electronic notary such as the State of Washington’s Electronic Authentication Act (EAA) must be applied. That is, this record is your digital certificate. Use of this record has the legal equivalence of a notarized signature and is legally binding.
This record must be digitally signed by a licensed certification authority (CA) conforming to the State of Washington’s EAA or similar law.
Multiple forms of identification must be presented to the CA’s registration authority (RA) when obtaining this certificate.
This is comparable to a VeriSign Level 3 Certificate.
For automated banking or purchase transactions, a list of your accounts would reside here.
The client application should present the user with a list of which accounts to make available on a per transaction basis. That is, when a site request this record, the system would prompt you. You’d check which accounts to reveal, if any. Only then would the system respond to the remote site, sending only the information you permit.
This information is unverifiable; however, use of this record should always coincide with your digital signature. The burden of reliance belongs in the contract or order being signed: sales agreement, bank transaction, etc. Vendors requesting this information should state on all contracts that the customer is providing accurate information and revealing only their own accounts. Applying your digital signature makes the contract legally binding.
An example is a driver’s license number.
This record serves only as an alias; authentication and verification would be made directly with the respective agencies.
An example is the US Social Security Number or Passport number.
This record serves only as an alias; authentication and verification would be made directly with the respective agencies.
This would be used for automated application for a bank loan or mortgage. The information here would be your record number into the major credit bureaus.
This record serves only as an alias; authentication and verification would be made directly with the respective agencies.
This is far from complete.