Digital Security
Virtual Identification
By Travis Wissink
Nov 18, 2002, 19:00 PST

Online Internet partnerships between two or more seperate web sites are getting technologically more complex as our web sites get more dynamic.  We no longer have the luxury of implementing a simple html hyper link on our web sites and directing our users to the partner site.  We now have to give our web users a seamless transition from our site to our partners site.  Our users do not want to login and register at every site.  Our partners want to know more about the users more effectively so that they can properly target the web user for their campaigns.  Even more importantly we want to properly target our audience on our partner’s site with our own polished campaigns.  Luckily, there are both mature and maturing technologies, which are reliable and implementable so that our users and partners have the flexibility that we all now require.  The methodology to accomplish the above is being termed as Virtual Identification.

One of the latest requirements is to securely federate our web user’s identification to our partner’s sites.  Users do not want to have to login in to many different sites and our partners do not want to have to annoy their new users and our existing users with the complicated process of registration.  To accomplish this concept of federating our customer profiles we will use several open and regulated standards to fulfill this requirement. 

Virtual Identification procedures are built around standard technologies that are currently on the market.  There are a number of regulated open technology standards on the market both supported by both private company’s and open source initiatives; technology leaders have many decisions to accomplish many IT requirements.  To accomplish the virtualization of our customers profile we will use several open and regulated standards to fulfill this requirement.  For instance, most all secure traffic on the Internet happens on HTTPS (HyperText Transfer Protocol/Secure).  Figure 1’s diagram depicts the various systems collaboration needed to fulfill the virtual id requirement.

Figure 1

  The servers can be any type of platform that has a web server on it with a dynamic language, for instance WebLogic, tomcat, chilisoft, apache, IIS, etc.  In the diagram the relationships are the lines of communication between the various systems.  The communication protocols all ride over HTTP and HTTPS.  The data that travels over HTTP/HTTPS is in the form of HTML posts and XML.  The web customer is on their own Internet attached device using standard web browsers.

Figure 2 depicts a sequence of events that a typical user will encounter while surfing between partners.

Figure 2

  The users surf’s to ourpartnersite.com (1).  The user chooses to login in.  Our partner site delivers the login page (2).  The user inputs their information and hits submit, the form posts the HTML submit to our servers (3).  In the form are some hidden fields to tell our servers how to respond to the users input.  Our servers process the request and send an authentication status in the HTTP Header and along with sending an HTTP 302 redirect code to the users browser (4).  The redirect sends the user to  the partner’s login form, through a hidden html form field and tells us to send a pass or fail result (5).  At this point our user, on a pass result, will be taken to our partners site as an authenticated user.  Now the partner site, through the secure tunnel, requests the rest of the users profile from our servers (6).  They will do this so that they can give the user a more customized experience.  The transfer of the Customer Profile should be done using XML.  The transfer of the XML should utilize Web Services, XML-RPC, SOAP, or any other mature XML transport protocol.  The transfer of the profile should be done using the tight security methods, for example encrypted tunneling, private t-1, VPN solutions, or other highly secure techniques.

Now at this point a careful balance of technology and business rules has to be negotiated.  A balance to evaluate the level of secure risks that everyone feels comfortable with.  There are many security risks on the Internet.  There are known security flaws with the above scenario.  But, these risks can be reduced through technology and business rules, to be stipulated in partnership contracts.  The contract should stipulate what information gets shared and at what level of security the data will be passed through.  For instance, maybe most editing of the profile can happen from either the identity host or the partner site, but the editing of credit card info only happens through the identity host’s site.  Though a purchase can be made from the partner site using credit cards already established on the identity host’s site.  Or the contract can stipulate that all editing of the profile will be done from the identity host’s site and not through the service providers.  This will allow the service provider less of a technology burden but it may decrease the level of flexibility that they can provide their user.  A good example is the shopping.yahoo.com site.   The online service providers want to be able to sell to the yahoo Wallet customers but they don’t want to have to provide the user with a massive amount of registration requirements.  So, most of these service providers just have the user authenticate against the yahoo wallet and choose a credit card to be billed.  This allows the service provider to provide a lot less technologically challenging payment feature but it may distract non-yahoo wallet customers.

The quickly evolving procedures of Virtual Identification are going to revolutionize our web customers’ experience.  These procedures will allow our partners and us to concentrate our efforts in the proper areas.   Using standard Internet technologies we can accomplish a more consolidated approach to on-line partnerships. 

The liberty alliance project - http://www.projectliberty.org/

Microsoft Passport - http://www.microsoft.com/netservices/passport/

Yahoo’s Wallet - http://wallet.yahoo.com/

P3P standards - http://www.w3.org/P3P/

Digital id world - http://www.digitalidworld.com/