dotgnu-auth
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Auth]ISsec Profile Providers (was Re: IDsec meeting)

From: Norbert Bollow
Subject: [Auth]ISsec Profile Providers (was Re: IDsec meeting)
Date: Thu, 29 Nov 2001 23:01:18 +0100 
Mike Warren <address@hidden> wrote:

> The advantage I see here is that there is far less danger of a single
> security failure (at the Profile Provider) resulting in the release of
> potential a lot of Profiles. If each user controls her own Profile,
> then an attacker would have to compromise each users' computer to gain
> their Profile; they wouldn't be able to attack a single point (the
> Profile Provider).
> 
> Perhaps some users would like their Profiles stored at the Profile
> Provider; this certainly could be accommodated. I think both methods
> should be allowed.

Yes.

I propose that the DotGNU's standard Profile Provider software
should be designed in such a way as to make it very attractive
for banks to become Profile Providers.  We absolutely need to
win the banks over to our side.  This is of key strategic
importance.

> > The Content Provider now has a user profile that he can use to
> > personalize content, to do accounting and/or billing (eventually in
> > combination with a third party) and any other business that he would
> > normally do with a customer database.
> 
> I've also thought that a good revenue-generating service for Profile
> Providers would be a type of virtual cash; the user can give their
> credit card information *only* to the trusted Profile Provider who can
> issue virtual-cash tokens to the user at their request. These tokens
> could be used at participating Web-services as payment (and then
> redeemed by the Web service for cash via the trusted Profile
> Provider). In this manner, the user must trust only a single service
> with their credit card information instead of a variety of Web
> services.

Actually, if the Profile Provider is a bank where the user has
an account, the payment doesn't need to be via credit card... it
could go directly from the user's bank to the merchant's bank.
(True e-banking :-).

> If such a system became ubiquitous enough, one could use such virtual
> cash tokens for many types of purchases.

I think this is a very good idea.  Because the virtual cash
tokens don't need to allow for chargebacks, it'll not have
to be complicated to gain the ability to accept them.  (Not
like a credit card "merchant account" which you'll only apply
for if you have very good reason to do so.)  This will make
them attractive to e-business merchants and even to simple
netizens who can use them to accept the occasional payment.
It will be attractive to the banks to become trusted Profile
Providers for their clients and issue virtual cash tokens for
them.

> "Mario D. Santana" <address@hidden> writes:
> 
> > Near as I can tell, the basic difference is that Flysolo's data is
> > fetched from repositories and fed to web services by the _client_.
> 
> Is there any way to verify the data? That is, Profile Providers would
> likely be more trustworthy to Web services if they (optionally, at the
> user's request) verified the data in a user's Profile.

At least here in Switzerland, banks verify customer-provided
personal information anyway (because of the
anti-money-laundering due diligence rules).  So it shouldn't
be difficult for them to optionally provide a certificate
that the user's personal information is true.

Greetings, Norbert.

-- 
A member of FreeDevelopers and the DotGNU Steering Committee: dotgnu.org
Norbert Bollow, Weidlistr.18, CH-8624 Gruet   (near Zurich, Switzerland)
Tel +41 1 972 20 59       Fax +41 1 972 20 69      http://thinkcoach.com
Your own domain with all your Mailman lists: $15/month  http://cisto.com
reply via email to
[Prev in Thread] Current Thread [Next in Thread]