Posted via PRWeb:

Washington, DC (PRWEB) July 8, 2008 — Trufina Inc. (http://www.trufina.com), the leading provider of online identity verification (http://www.trufina.com) services is partnering with Identity.net, a web identity platform. By partnering with Trufina, Inc. for identity verification, Identity.net provides users with the option of verifying their identity attributes once and then reusing that verified identity information across the Internet. The combined solution puts the user firmly in control of their identity information, and allows them to share their data on the web as they see fit, without having to verify their identity information over and over again.

Identity applications are going mainstream and the Trufina partnership with Identity.net offers additional ways to securely share their identity information online. Interestingly, according to JanRain, a leader in the OpenID community, there are presently over 13,000 websites accepting OpenID’s, a leading Internet Identity Protocol. This represents a growth of a growth of 50% since the beginning of 2008. The Identity.net platform is the first to empower users to share (in a verifiable way) what they want with who they want using open, portable technology.

“As with all Trufina partners, Identity.net contractually adheres to Trufina’s data use policies, and Trufina’s commitment to the consumer, to assure individuals maintain full control of their identity. Trufina, in turn, adheres to industry leading security practices, as well as identity verification standards, to ensure we provide our partners with accurate identity information,” said Trufina’s President/CEO, Chris Madsen.

Identity verification is a prime building block for the identity-based services that drive the development focus for Identity.net. “Our research has identified 20 significant transaction types on the web where identity is a major consideration of people deciding whether or not to enter into a transaction. The partnership between Identity.net and Trufina is an important step towards enabling internet users to build trust in their online interactions, by establishing verified identities on the web that are portable across the growing array of ways that people use the web”, said Identity.net’s Chairman and CEO, Rob Monster.

“Identity.net is giving consumers unique ways to present their identity information, and control its use – setting the stage for flexible and powerful applications. Utilizing Trufina’s ID Server API, Identity.net is providing verification of individual customer attributes seamlessly. Notably, the Identity.net team completed integration utilizing Trufina’s API’s in less than a week,” says Jim Adler, President and CTO of Identity.net.

About Identity.net

Identity.net is the first identity platform to deliver a compelling value proposition to consumers, and publishers, while enabling the consumer to remain in full control of what is known about their identity. The company’s technology is protected by more than 53 issued patents, and based on more than a decade of advanced research in the field of online identity.

About Trufina, Inc.

Trufina is the leading provider of online identity verification and identity management services, enabling individuals to verify their identity attributes online, and providing the identity management tools for sharing that verified identity information with individuals and websites across the Internet. Trufina offers a unique method of building trust on the Internet. As the independent “trusted source” for id verification, Trufina protects the privacy of the individual while limiting the opportunity for fraud and identity theft from partnering websites. Based in Annapolis, MD, Trufina can be found at http://www.trufina.com.

Contacts for Press and Analysts:

Jim Kinchley

301.951.8998 x3

pr(at)trufina.com

###

Â

There’s lots of good stuff in the New Scientist article Don’t let cyber-spite ruin your good name, and a bunch of great companies mentioned – ClaimID, TrustPlus, and ReputationDefender . The issue is not just reputation, and the protection of your reputation (which is certainly the end result), but is the person posting a comment, negative or positive, really real or completely anonymous?

Just like in the real world, someone is more likely to shout some craziness from the bleachers, versus in an in person forum, where they have to introduce themselves in some fashion but they do have to prove they are identifiable.

Don’t let cyberspite destroy your good name

You buy a television on eBay. When it arrives, you eagerly unwrap it, only to find it is badly scratched. You return it, and leave a negative comment about the seller on the site. The next day, you find the seller has retaliated by posting a nasty comment about you, branding you as a time-waster. Suddenly, no one wants to sell to you and your reputation is in tatters.

Until now eBay’s rating system, which allows users of the auction and trading site to leave good or bad comments about their trading partners, has worked well. Sellers who ship out damaged goods, or items that do not match their online description, rightly get a black mark against their name. However, this system has recently come under increasing pressure from an all-too-human failing: spite. Sellers can easily retaliate against buyers who have named and shamed them, leaving unwarranted but highly visible comments – perhaps claiming that the buyers do not follow through with purchases, or needlessly return items they have bought.

Fear of this retaliatory renegging can deter buyers from posting negative comments about their trading experiences. In turn, this threatens to undermine the trust that buyers place in sellers ratings.

So severe has the renegging problem become that this month eBay was forced to change its rating system, preventing sellers from posting negative comments about bad buyers on the site.

In an online auction site like eBay, your reputation is your livelihood. Economists Daniel Houser of George Mason University in Fairfax, Virginia, and John Wooders of the University of Arizona, Tucson, have shown that sellers with positive ratings are able to sell items at higher prices, because buyers will willingly shell out greater sums just to be sure they are buying from a trustworthy source. And more people are likely to bid on items offered by those of good standing (Journal of Economics and Management Strategy, vol 15, p 353).

In a study to be published in the Journal of Consumer Research next month, Amar Cheema of Washington University in St Louis also found that when a seller’s reputation is less than squeaky clean, bidders are more likely to scrutinize additional costs such as shipping charges and bail out if they are too high. When the seller’s reputation is good, however, buyers are less interested in such surcharges, and sellers are more likely to secure a deal.

Trading websites are not the only place where nasty comments can have serious financial implications. When someone writes something malicious about you online it can be read by anyone typing your name into a search engine for years to come – including potential employers and university admissions staff. And as the number of websites that people use to buy and sell or make new friends and business contacts increases, so too does the need to guard against such acts of cyber-spite.

I saw this post by Bob Blakley about the meaning of OpenID, and I thought it brought up some great questions. We, at Trufina, have been following OpenID, Cardspace, and various other ID initiatives, for a long time (in internet years), and hope these initiatives become widely adopted. Anyway, here is Bob’s post, and my comments follow: September 04, 2007

 

What is OpenID for?

 

 

Blogger: Bob Blakley

There’s been a bit of a dust-up over OpenID recently in the blogosphere.  First Eugene and Vlad Tsyrklevitch published a paper at BlackHat 2007 outlining a bunch of weaknesses in OpenID.  Then Stefan Brands amplified the critique in a long blog post.  David Recordon fired back in a post of his own, in which he expresses confidence that OpenID 2.0 will fix all of OpenID’s problems.  I have less confidence than David, but I’ll leave that topic for later.  What I’d like to do first is talk about getting the horse before the cart.

What I’d really like to see, as a security guy, is a problem statement and a risk analysis.  Specifically, before we start arguing about whether OpenID 2.0 is the answer, I’d like to know the following things about the question:

1. What are the assets to be protected?

What do OpenID’s designers intend it to be used to protect?  Blog comment lists?  Blog entries?  Persistent consumer accounts on commercial servers?  Persistent employee accounts on corporate servers?

2. What are the services to be offered?

What services do OpenID’s designers intend it to offer?  Authentication of users as the legitimate possessors of OpenID URLs?  Linkage of OpenID URLs to user accounts on web-facing systems?  Linkage of OpenID URLs to user attribute information (e.g. Information Cards)?

3. What quality of protection is claimed for these services?

Is the OpenID protocol intended to protect against phishing?  Is it intended to protect against man-in-the-middle attacks?  Is it intended to protect against attempts by one OpenID party to induce another party to execute malicious code?  Is it intended to protect against session-splicing or session hijacking?  Is it intended to protect against active or passive wiretapping?

4. What is the threat model?

What threats is OpenID designed to protect against?  Accidental failures at a participating party?  Malicious behavior by users?  Malicious behavior by relying parties?  Malicious behavior by OpenID providers?  Wiretappers?  Hackers attempting to penetrate a relying party?  Hackers attempting to penetrate a provider?  Hackers attempting to penetrate a client system?  Cryptanalysts?

5. What is the trust model?

Who trusts whom to do what?  Does the user trust the OpenID provider to actually check his password?  Does the provider trust the relying party not to send maliciously constructed OpenID URL strings?  Does the relying party trust the provider not to reissue OpenID URLs to different parties at different times?  Does the relying party trust any particular OpenID provider to issue OpenID URL strings in a particular part of the namespace (e.g. “.gov�?) 

All the arguments about OpenID are entertaining, but the claims and counterclaims are very difficult to evaluate in the absence of a coherent problem statement which includes answers to questions like these.  The OpenID 2.0 Specification signally fails to address these issues; in this sense it’s a solution looking for a problem.

 This is my comment:

  Bob, great questions/suppositions… Please excuse some responses:1) is the answer SSO or more? It would seem that the 1.1 spec is intended for exactly that, and the 2.0 spec is out there still because (IMHO) the answer to your question has not been decided upon (please correct me if I’m wrong).  2) I’d say that’s a ‘yes’, 3) if the answer to 1) is right, I’d say no. if not, great question. 4) Humm, that’s a lot of different trust scenarios, but the first one is the question – what trust model does the community really believe OpenID will solve. 5) Seems that the only thing is that someone has been able to authenticate against a valid OpenID enabled URL.
I don’t think the 2.0 spec is a solution looking for a problem – the 2.0 spec solves a great many issues. To me the question is – whether or not the community wants to support the added complexity of the 2.0 spec to solve the problems it solves. the 1.1 spec is perfect for SSO scenario, with little or no trust model, IMHO.  

There’s a terrific article by J. Nicholas Hoover in Information Week that outlines the current landscape of online identity management. Hoover concisely explains some of the toughest issues facing the IdM community: verification, authentication, user-control, and portability, just to name a few. He sums it up well:

“Most people don’t want their personal information–name, e-mail address, accomplishments–available for anyone to see at any time. One of the challenges of digital IDs and credentialing systems will be to give users control over what gets shared, when, and with whom. The Web’s cloak of anonymity must stay in place unless we tell it otherwise.â€?

As Hoover explains in his article the current online identity landscape is somewhat fragmented as folks debate which technologies will surpass others. There are identity verification services and identity management platforms. There are reputation systems and ways to gather your online information. And there are ways to do background checks or to monitor your credit status.

At Trufina we talk about these issues every day. And we don’t have all the answers. But there are a few values we’re committed to. These form the basis of our product strategy and guide our decisions when we consider new ideas for products or services.

We believe that you should be in control of your personal information online. We believe that you should have confidence in online transactions. And we believe that you should be able to protect your privacy (and your children’s privacy) online.

We think the conversation needs to shift, and that we should spend less time talking and more time listening to what people actually need and want. The explosive growth of the Internet and so-called “Web 2.0� sites and services like MySpace, YouTube and eBay means that issues of online privacy, security and trust have become critical. As a community we need to solve them. I suggest that we take a page from the Web 2.0 handbook and collaborate with our users to figure out the right solutions.