Evan Schuman's StorefrontBacktalk

At the same time, there are aspects of these offline transactions that are not privacy-protective. The movie theater attendant who checks an individual’s driver’s license needs to know only that the individual is over age 17, but looking at the driver’s license reveals extraneous information, such as the individual’s address and full date of birth.”

Are certificates the best way to deal with that shortcoming? It’s not so clear that that is advisable.

Here’s a classic “what could possibly go wrong?” scenario, again from the report: “Ann learns that her recently issued bank card and her new university card are both Identity Ecosystem-approved credentials. She also discovers that her E-mail provider and social networking site accept both of these credentials, while her healthcare provider and local utility companies accept the higher assurance bank card. Ann decides to log in to her E-mail and social networking site using her university card, but uses her bank card to log in to her health and utility services. Now she no longer has to remember tens of different usernames and passwords and can conduct different risk transactions with appropriate levels of authentication, all without having to obtain an additional credential.”

Here’s one that will generate seizures among our PCI enthusiasts: “A small business wants to start an online store. It decides that participating in the Identity Ecosystem will eliminate the need to develop costly account management features. Moreover, the effort required for a potential customer to establish an account at the store will be decreased—in many cases, customers will not need to establish an account at all to make a purchase. The business wants the full benefits of the Identity Ecosystem, so it meets the published, transparent requirements and receives a trustmark. Customers can see that trustmark and know that the business complies with the policies of the Identity Ecosystem. The business then selects three types of credentials that meet its security requirements. There are 12 identity providers that meet the businesses requirements, and they have issued a total of 30 million credentials. As a result, the business immediately has a base of millions of potential customers who can safely and easily shop at the online store without enduring the inconvenience of manually entering information to create an account.”

Will these consumers have their purchase history tracked nationally? Will this E-tailer be able to match the CRM with other E-tailers? Will an identical credential make this person easier to track online, in the social media world?

Here’s one for the HIPAA fans to go crazy over—from the report: “Ali wishes to fill his medical prescription online. He authenticates to an online pharmacy using a small plastic token that he stores on his keychain. Ali submits his request for the pharmacy to fill his prescription on its secure Web site. Ali’s attribute provider provides authoritative proof that he is over 18 and that his prescription is valid. Since the Web site and attribute provider are trustmarked and use privacy-enhancing technology, no unnecessary information is exchanged in this transaction. The pharmacy is not told Ali’s birth date or the reason for the prescription. The technology also filters information so that the attribute providers—the authoritative sources of the age and prescription information—do not know what pharmacy Ali is using. Ali is able to quickly and easily fill his prescription online. The privacy protections are conveniently built into the Identity Ecosystem, so Ali receives those protections automatically.”

Where to start with this one? “Ali’s attribute provider provides authoritative proof” that “his prescription is valid”? That’s a neat trick. How is this attribute provider to verify the authenticity of the prescription? Is it checking with the physician who wrote the script? And doctors will be told to answer the questions of attribute providers instead of pharmacists?