Skip to main content

Using .gov Email Addresses For Age And Information Verification

Over the years we've experimented with ideas that leverage what can be thought of as civic trust infrastructure to address trust related problems on the Internet. 

Previously we created a browser extension and proxy service that allowed users to use access to their IRS Get Transcript ONLINE access as a way to procure trustworthy cryptographic ID certificates. 

Essentially treating access to the Get Transcript ONLINE service as automatic ID verification and using that to issue (via a web proxy) ID certificates. 

We also developed the trust relay protocol, a similar approach that leverages existing sources of trust as a means to address internet trust challenges.

These experiments ultimately lead to the development of the Certisfy app and service.

We have launched another significant experimental approach, leveraging .gov email addresses as a mechanism for bootstrapping a cryptographic trust chain. Think of this as a sort of web of trust implementation.

Ideally, organization level validation would be preferred over email validation but .gov email addresses come with robust vetting by the holder, thus one can think of them as a store of trust. 

We've enabled domain whitelisting on the Certisfy platform that allows holders of .gov email addresses to self-validate (via email or DNS) and procure a trust anchor certificate, thus enabling them to issue trustworthy certificates. 

In effect, if you have a .gov email address you can act as a certificate authority (CA) who can issue trustworthy certificates that can be used for information verification on the internet.

The process is simple:

  1. Create a trust anchor document (simple name/value pair) via the Certisfy app.
  2. Generate a certificate request (CSR) via the Certisfy app.
  3. Submit the request with email (or DNS) selected as your validation type.
  4. Check your .gov email for validation link and validate.
  5. If validation is successful, you will be able to download (via the Certisfy app) a trust anchor certificate that you can then use to issue (via the Certisfy app) trustworthy certificates.

Leveraging our existing civic trust infrastructure has an untapped potential for addressing all sorts of internet trust challenges. Consider these common internet problems:

  • Underage access to inappropriate content.
  • Ticket scalping.
  • Romance scams.
  • E-commerce scams.
  • Fake reviews.
  • Bot swarms. 

These are all problems due to the fundamental lack of an information trust infrastructure that is compatible with the internet. Internet compatibility has to include use-case coverage, technical scalability and a strong privacy profile.

The Certisfy platform implements an approach that has a strong privacy profile while facilitating information verification for virtually any type of internet/online use case, including even off-line use cases. 

Comments

Popular posts from this blog

From a secrecy model of information security to a usage authentication model

We continue to be plagued by data breaches, password and credit card dumps, healthcare records...etc. One of the reasons many of these breaches continue to be devastating and effective for cyber criminals is because our current information use infrastructure/architecture relies on secrecy as the primary mode for preventing the misuse of information. Secrecy simply means only the people who have the right to use a bit of information have access to it, when that assumption breaks down as it does with data breaches, the related information can lose some or all its value. For instance a compromised credit/debit card number means getting a new number. A compromised password database means changing the passwords...etc Secrecy has its use as a privacy preserving mechanism but is fairly flawed as an information usage authentication mechanism. The idea of secrecy as the mechanism for controlling the use of information is deeply ingrained, so much so that even people who should know better often...

How to prevent being scammed via phone calls using Certisfy

Just as we are plagued by data breaches because of our reliance on secrecy as our model of trust assertion instead of just-in-time information verification, we are similarly plagued by scams related to our inability to verify unknown contacts.  Calls, text messages, emails, etc from unknown sources are now a major source of scams, cyber extortion and such. As was demonstrated here , Certisfy stickers backed by cryptographic certificate signatures can address this type of trust problem too. If for instance your doctor's office or other place of business that you have a legitimate business relationship with calls you, they can simply begin the message with a sticker code such as below. You can put that sticker code in the Certisfy app and verify the identity and related information, including for the contact source identifier (phone number, email address...etc).  If a message doesn't start with a verifiable sticker code, you drop it immediately, this effectively kills all such ...