DNA … Identity Crisis … A Challenge to build a globally sustainable concurrent

solution!!

to today’s

Most nagging Problem!!

Add wings to your Imagination

The Challenge & the opportunity

Bigger than the BigData!! Yes with the advent of Online Social Media and Electronic Commerce. Identity theft is Posing a significant threat to Individuals, Corporates, and all kinds of Organizations alike. It remains to be the major nuance to be tackled … with buzz words like phishing

Would you laugh if I suggest we all should be logging in to web based portals, services without a password …is this possible ?? …feasible!!

Look at a few Scenario’s how some reputed … !!address!! …the issue …

Social Media : Twitter

… Guess most of them would recognize and understand the meaning of

the ‘Tick’ encircled in blue embedded on some of the users.

E-Commerce trade facilitation : E-bay , Alibaba

…Credibility , transparency of practices followed for accredited

Sellers / Buyer’s. Proprietary procedure’s and not open for public.

Banks and certain E-commerce portals … tackling phishing …

… Those using online banking services and electronic shopping

would notice the ‘procedure’ or the sequence of steps required to

authenticate and transact online e.g.: HDFC , Axis (only for analogy

sake).

Let’s …decipher

Identity Impersonation and Validation in Social Media , E-Commerce facilitation forum …

Apart from the information provided at Sign-up, Most lack any validation of the entities viz. the true identities of the user-base. Phishing … Can range from URL’s originating with spoofed DNS to un-suspect-able simple ‘http’ links embedded in emails to relatively naïve users, … leading them to part with vital and key information ranging from user-name, password, credit card information etc , that is prone to be exploited to commit fraud … , mostly financial in nature, like theft of funds via. Online-funds transfer …

How to address tackle these issue’s with available frame-works and technologies …Back to Basics

Challenge 1 : Electronic -Identity-Impersonation …

Authorization into web-services Leveraging upon

digital-certificate, PKI , Cryptography.

Challenge 2 : Phishing …

Leverage embeddable plugin’s in web-browser‘s,

email-client’s built to take advantage of a simple

query against a UDDI (Universal Description

Discovery and Integration)

…Interesting and exciting …isn’t it !!

Challenge 1 Problem : Authentication into a web based service, is usually based on a user-name and password ... tackling this with PKI and Digital Certificate’s.

It is being assumed the audience has a basic understanding of PKI, Digital Certificate, Cryptography. It is advised to have a good understanding of CA (Certification Authorities) and PGP( Pretty Good Privacy) . Proposed Solution :

What if : The username is mapped to a public-key or public-certificate ?? Or if the public-key or the public-certificate serve’s the purpose of the username ?? …

Advantages …. all the way whether on choose’s to map / use a public-key or a public-certificate in lieu of / username … result … flexibility for Authentication , Authorization , Encryption/ Decryption , SSON (Single Sign on ….Oauth)

What am I talking about : Building A web based service that serve’s as an IDM (Identity Management ) repository for some or all of the above purpose’s , viz. a publicly accessible directory and Lookup-service (either query a repository of public-certificates or just a service that guarantees the reliability of information queried against a public-certificate ...In lay man’s terms a digital Yellow Pages ) , with flexibility for the users to choose and determine how much and what they want to expose (quantum of personal information queryable from their public certificate ) Jig saw Puzzle : Yep there are more crumbs / building blocks that make the solution interesting and scope for high commercial viability.

Building a effective and viable solution Challenges : where should the private-key / decryption key sit ?? , what is the role of digital certificates and Certification Authorities. What part of information should be publicly accessible and what part should be private/restricted/fore-bidden from public-access …childish to discuss …bring up isn’t!!

… what if embeddable into your browser (Locked into your laptop / PC) for authentication into your favorite URL….voila !! ….well most of your digital certificates …currently operate on these lines then what is new!! …

…what if the private-key sits in the USB device …portable carry anywhere authenticate, authorize, encrypt /decrypt on, any public, private or shared systems with confidence.

A discussion of the Classic example of the : SSL … X.509 , Digital Certificates … Certification Authorities …the chain of trust!! …decouple the private-key’s from digital certificates …leverage the chain of trust ….make available/possible a online repository ….either a digital-certificate with public-key or just a public-key ….OO use-case modeled Solution for leveraging the opportunity and the infrastructure being built.

Building a effective and viable solution …continued

Understand : How Digital Certificates are currently handled, Various algorithms used in the context of Security , Secure communications

underlying mechanic’s eg : RSA , Microsoft Digest …etc While I wouldn’t like to delve in to the mechanic’s of various algorithms their advantages or dis-advantages ??

I would like to draw attention to the following viz. UDDI , Dynamic DNS and the short URL’s (the links that appear … Viz. made popular by) in the twitter feeds , a cookie and the challenge (say as in the digest method), the JVM (java virtual machine)…

A potent and potential solution : what if the user-id is just a kind of URL that resolves back to your host / computer , use a verification mechanism akin to email validation and look-up used in SMTP …offering the context in which you can run JVM / ACTIVEX enable code-lets …how are the majority of the digital certificates purchased used for ….where do they reside and what are they being used for!! Streaming code for execution

Integrate a jvm / another similar process (secure Shell) within which code can execute, say patch's that can be sent to OS upgrade kind of a feature

Scope …role …potential of Bio-Metrics Recall … Biometric authentication devices , the finger-print scanners

…what if your thumb impression is your private-key or a sub-set of the key that makes up the private-key …I believe “ the sum of the process “ that makes up a RSA finger print gathering, for an analogy. …the key-challenge what would constitute a public-key , how would you generate one generation …private-keys with deciphering algorithm/logic …a combination of raster-graphics, vector-graphics, fractals …what not to leverage upon …rather not go into the detail’s of leveraging Biometrics …with several leading industry player’s … in the market, with a ready off the shelf, solution. …hey by the way anybody remember/ recall USB drives that come with embedded finger print scanner that let you access to data only when …guess not!!

Solution Modeling …Infrastructure Building Blocks

With most of the technology stack and building blocks …discussed!!

I believe this is the right place to kick start a dialogue …set in motion a discussion to gather right feedback on the building blocks and also the road blocks in solving the jigsaw puzzle.

A Big … Thank You!!

Where do we stand , an opportunity or challenge .

I would like to sincerely thank everyone …for providing this opportunity to present a valuable paper before the right audience. Hey , I have used the three dots (…) , all over this document, most of the audience , I guess is programming literate!! , Kindly interpret the ‘…’ in a literary Sense!! …humor unintended. you can reach me at

ravishaven@hotmail.com http://in.linkedin.com/pub/venkat-ravi-shanker/5/6b8/619

The un-disclosed Agenda As with an researcher and opportunist , I too aim to profit from this paper…modalities to be worked out.

Emphasising upon the following

A Openended solution that can let players from established software players to the opensource play a role

Respect Intellectual Property

… Issue’s to be addressed With CA’s already functioning …I want to build a viable commercial market opportunity …where multiple IDM service providers can compete and render services to customers …would love to have the DNS kind of model to be leveraged for the IDM service rendering. power and potential ... ...embedded a digital signature / certificate ...with a ….VALIDATION scanner on your ...credit-debit / swipe cards ...that come with there own scanner and validation embedded device !! ...enter into the world of digital commerce and POS commerce with confidence. Ability to develop micro-devices for consumer market place that can leverage the IDM service model for authenticating, validation end-user devices (replace magnetic strip-devices, have electronic-chips embedded with IDM validated certificates …with explorable potential of BIOmetric) …to the POS(point of sale) terminal …a win-win opportunity for the consumer and merchants and merchandisers …..to leverage the IDM . How about embedding a pointer / key integratable to the IDM repository …to every consumer device being sold …owner-ship …tracable …envisage the power and potential …of the ownership-id embedded It is obivious for any kind of successful solution building it is important that all actors part of proposed solution participate actively, hence solicitating sponsorship and geniune interest from the industry

Ravi Shanker KV venkat ravi shanker k

ravishaven@hotmail.com

00919848226880

…issue’s to be addressed …continued Well all have been using xyz@domain.com as a communication / identification means ….in the context of IDM … i would be looking for the IDM provider’s providing one with a similar or for the matter don’t mind making this a legible practice viz. When someone trie’s to identify one-self with say for instance ravishaven@idmservice.com …the service provider in this instance idmservice vouch’s for the identity of the individual for the web service, while at the same time …if the web-service requests a authentication …the idmservice provider …intiates a validation with the registered device of the identity viz. say ravishaven@idmservice.com …once validated generate’s a valid <token> ….which enable’s the end-user with the , say identity ravishaven@idmservice.com can do / have a session with the web-service provider??

Insurance …Indemnify against Identity theft!! Advantage …: some-body is taking the onus …that your service …web-service or any service exposed and with interface from public networks , …for guaranting you a valid user is authenticating into your service ?? ….get insured against identity impersonation ….digital identity …etc ?? Envisage …doing a transaction at POS terminal …. Or your mobile –device …embedded with a applet…from bank-provider, …authenticating into the pos terminal inlieu of ….potential left TBD.

Whois!! …this!! && …Where to reach me You might wonder where this dude is dawning from, I have had a string of failures , failures in the sense inability to capitalize on my IP, since a few years, and perplexed at how convinently people have had “Phished” on my Ideas, Including demonstrated code … IP, whether within company or outside, any how … drop me a line or text me, if you are convinced and you think you are capable of taking this to the next phase. I always had bright Business Idea’s, having failed to protect them aptly using IP, on belief Innovation cannot happen in vaccum , a casual discussion of them, mostly with collegues and friends …found their way into market, having looked at the runnaway success they were …I always lapsed …relapsed into gloom , but amn’t dettered …sure enough I guess you got it, you are there …this is an effort , I need to capitalize upon …sure enough there are few more , lying at the back of my mind …

Ravi Shanker KV 8-3-976/41, viswasanti, Shalivahan nagar, Srinagar colony, hyderabad India – 500073. ravishaven@hotmail.com

Obiviously …non Obivious!! After reading through the document, and if you chanced upon this slide, well this slide is to bring to your notice and fact that all the use-cases definable in addressable solution haven’t been derived and completed yet,

If you are a techie and you are aware of what is a ‘whois’ database and who maintains it, then it is obivious …to flash across your mind the obivious …does the current proposition, offer a better mechanism to implement the ‘whois’ database

…while you ponder upon the idea, let me take a nap, am not sure if ICANN

would be keen enough to toy the idea and the line!!