A Free Way to Establish Identity

I was talking to someone recently who was complaining about spam and how it is getting worse every day. Now, I have always contended that to control spam there’s only one requirement: Establishing the identity of the sender.

To do this requires that messages be signed with digital signatures. Then if a message arrived without a signature, your e-mail client could trash it or otherwise handle it as being “improper.”

Digital signatures require a digital certificate that is appended to the message along with a message digest — effectively a checksum of the message contents combined with the digital certificate. Digital certificates can be issued by a number of certification authorities, such as Verisign, a pioneer in this technology.

When a message is received, the identity of the originator can be established by referring the attached certificate to the certification authority, which should be a known and reputable organization. The certification authority’s reputation is important, as I’m sure you would not accept certificates from unknown authorities, such as The Unknown Certificate Company or Spam ‘R Us.

But a useful certificate from a reputable certification authority costs money. Sure, Verisign has been distributing certificates for free, but that doesn’t help — the free certificates don’t ensure that the certificate’s owner can be established. From the point of view of authentication, the freebie certificates are about as much use as presenting your official Dick Tracy Detective Club membership.

Useful certificates start at US$9.95 per annum, which is not much. But I think it’s a fairly safe bet that the majority of Internet users won’t pony up for something that won’t have obvious and immediate value to them. When the volume of spam they receive exceeds 50 per cent, then 60 per cent, then 70 per cent of their e-mail, well, they may feel differently.

But even though they will eventually see the need for an effective method of dealing with spam, it will be years before the majority of users feel forced to do something. By that time, the end of useful Internet e-mail will be upon us.

What we need to do is get certification into the market as soon as possible. To have any impact, getting and using digital certificates must be easy to do, and when it comes to appealing to the majority of Internet users, the great motivator is the word “free.”

So, I have this idea: Banks and other institutions that know their customers well should give away certificates. They should do so in cooperation with Verisign or some other reputable authority, or even set up their own certificate authority. Because these organizations know their customers, they can realistically and inexpensively establish a customer’s identity.

And then these sponsors, along with the Internet Engineering Task Force, the World Wide Web Consortium, the Internet Mail Consortium, Microsoft, IBM, Qualcomm and other groups and vendors with Internet interests, should promote the need to use the certificates.

So, what’s in this for whom? To begin with, it would prevent what would otherwise be inevitable — the complete breakdown of Internet mail, so the plan is in everyone’s interest.

For the banks and other financial institutions, the win is to create a public infrastructure that supports commerce in general and financial transactions in particular. And vendors such as Microsoft, IBM and Qualcomm become confirmed as market leaders and visionaries and receive a more stable infrastructure in which to sell their products.

So what do you think? Will it work? Will financial institutions and vendors see the opportunity? Can users be encouraged to use digital certificates? What will the problems be? Let me know.