Technical Challenges of Communication: Authentication

I guess this is going to be a series of blog posts on this subject. For me, this is a lot of thinking out loud and trying to figure out whether there’s something in here for me to tackle (with my nonexistent spare time), so I appreciate the comments.

As commenters Oxa and Chris (in the post before last) note, OpenID is one of these emerging protocols that would seem to be helpful here. Sort of. Here’s the technical side of the problem we face: When a citizen signs a letter (or joins into one of these many-to-one communications), how does the congressional office know that that signature is legit? Currently, the only authentication in the process is citizens providing at least seemingly-real addresses, but as one staffer at the CMF conference noted, there are people (maybe not many, but at least one) who are using other people’s names and addresses when submitting letters to Congress.

A technical solution here would be for congressional offices to implement some (whatever it might be) form of authentication, and someone at the conference (apologies I forget who) mentioned conceivably using the e-Authentication system (in development) at GSA (iirc). That would authenticate people against bank accounts, possibly. (And someone else at the conference raised the question of whether that was fair to all.)

The problem gets a little bit worse if someone wants to implement one of these communications methods outside of the Capitol. In this case, not only does one have to do the authentication as above (and probably without the GSA’s help), but one has to then be able to convince congressional offices that the signatures being relayed are legit. It’s one thing to authenticate at the time of signature, and quite another to be able to prove to someone else that you did the authenticating. (Well, proving may not be necessary. Trust is another solution.)

Of course, these issues have been completely solved at the lowest technical level in the world of encryption. The issue here is a matter of how to implement it so it’s not limited to geeks with PGP keys and congressional offices with geeky staffers who can verify PGP signatures.

But, now as for OpenID in particular. Actually it doesn’t solve the problem because there is no way to tie an OpenID to a real-world name and home address, which is what we really need. OpenID, for readers who haven’t seen it yet, is a sort of global login identifier that you would use to log in at any website, rather than giving a different username and password for each website you use. It’s a great idea because, most interestingly, it is a completely decentralized system, and an open standard.

OpenID is certainly a good place to start if you want to build a system that is going to have broad applicability (i.e. “open use” ?) beyond verifying signatures on letters to Congress. How to co-opt OpenID into this is an open question, as far as I know. (I’ve talked about it ever so briefly with Andrew Lee at Fantasy Congress. And, also, I noticed that the idea of authentication was listed on the Gateway to Gov wiki some time ago, just to mention. Also, I know people in the OpenID and FOAF communities have thought of issues like this, but I don’t believe anyone has tackled it head-on.)

To do the actual authenticating, really the only practical way that I know of is using credit card billing addresses — charging users a nominal fee to authenticate, and then returning the money (or not).

So here’s the bottom line as I see it now: An authentication system is the primary thing we need if we’re going to have new forms of congressional communication. Building the core of this system based on credit card billing addresses should take about a week. I would do it myself except that the system must process credit cards and possibly needs to hold onto some personal information (certainly not the credit card number, but a name, home address, and an encryption key, for instance), which makes the site a huge liability and responsibility.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s