Monday, April 04, 2005

A Mission for the Cybersecurity Foks at DHS?

Click here for AmazonIf the cyber-security folks at the Department of Homeland Security are looking for something important to work on, I have an idea:

How about handling identity management for the citizenry?

Because, as Bruce Schneier says, the social-security number -- a relatively short and easily guessed identifier -- shouldn't be the keystone to a person's identity.

And after the various identity-theft debacles at ChoicePoint, Harvard, Lexis, et. al., DHS could fill the void by providing a conceptually simple system for managing personal identity.

Here's the gist of the idea: DHS would create and maintain a web-site that would be used to manage and verify identity. Call it or something.

To create an individual account, a user would pick a 'handle' and a PIN, password, or pass-phrase. Upon account creation, an individual could verify their identity using the same sort of "shared secret" approach that the IRS employs when you e-File.

From the individual citizen's standpoint, the site exists to generate unique identifiers that not only designate individual identity, but are also tied to a specific merchant.

For example, say I fill out a credit application with Infiniti to finance a vehicle. Beforehand, I visit the site, login, lookup the merchant ("Infiniti Financial Services/IFS") and generate my unique identifier for IFS, which just appears to be a random bunch of alphanumeric characters. This ID is unique for me and is only useful to IFS, since it's tied to the IFS merchant account.

Thus, when IFS goes to look me up and perform a credit-check with Equifax, they would use DHS as a go-between.

DHS would provide web services to merchants to allow, say, Infiniti to go to EquiFax and ask for information on the ID I've given them. The DHS web service would broker the conversation between IFS and Equifax, translating my IFS ID to an equivalent Equifax ID that corresponds to my identity.

So instead or storing SSNs, Equifax, IFS and the other vendors now store DHS IDs. A DHS ID for an individual is different for each merchant.

Thus, if my IFS ID gets disclosed to some unauthorized third-party, I don't care. What can they do with it? Without the help of a DHS merchant, not a whole heck of a lot.

Yes, it requires some DHS integration with the IRS. But if the idea is to enventually rid the world of SSNs, then a DHS-based identity management web site -- and attendant web services -- may make a heck of a lot of sense.

No comments: