12:36 PM

Could there be a Potential Privacy Issue with VeriSign's OpenID and its Internet Directory Name Services?

VeriSign (NASDAQ: VRSN) recently won an important deal with Microsoft (NASDAQ: MSFT) choosing its secure OpenID log-in technology for users of HealthVault to safeguard their medical information.

[Microsoft Selects VeriSign to Provide Secure Log-In for HealthVault Users from VeriSign]

This was a feather in the cap for VeriSign which has been working hard to establish its credentials as a provider of a growing number of secure computing services.

I spoke with Gary Krall, technical director of VeriSign's OpenID platform. "Microsoft chose our solution because we offer strong authentication services along with OpenID, this offers extra security." This extra security is part of the VeriSign Identity Protection system which offers "end-to-end identity protection."

Here is how it works:

When a user logs into their HealthVault record using VeriSign OpenID secured with a VIP credential, they will be prompted for their OpenID user name and password, and then asked for a one-time-password (OTP) generated by their VIP credential. The process makes it extremely difficult for fraudsters to access accounts illegally because it combines something users know (user name/password), with something they have (a VIP credential). Moreover, as the same credential can be used by other members of the VIP network, users have the convenience of utilizing these credentials to secure their identities across multiple Web sites.

Extra security is exactly what users need to safeguard medical data. Mr Krall said that the authentication is carried out on very secure servers situated in data centers around the world with high reliability. "It is probably a better use of Microsoft's resources to have someone else run the secure systems for them."

Microsoft has run into security problems in the past but it is rebuilding its reputation, its probably better to outsource that function to a company such as VeriSign, which already has a good brand in security. Also, VeriSign is one of many providers of OpenIDs, others include Google, Yahoo, AOL etc. Those other companies are more direct competitors to Microsoft in key Internet markets, again, making VeriSign a better choice.

VeriSign Labs . . .

I also spoke with Fran Rosch, vice president, Identity and Authentication Services. "The identity service is developed in VeriSign Labs and we don't yet have a business model for it. We are looking to launch additional services around OpenID that could give users greater control over their information."

This makes perfect sense for VeriSign to distinguish its OpenID by offering additional services. And it is something other companies offering OpenIDs will need to do if they want to build a business around these "community" IDs.

OpenIDs need DNS services . . .

Potentially, VeriSign could extend its services way beyond the means of anybody else because it helps run the core of the Internet with its Domain Name System (DNS) servers. Every time your web browser pulls up a website it consults a DNS server to find its location. It's a huge number of queries. [ The Domain Name Primer]

During the 1st quarter, VeriSign processed loads of more than 50 billion Domain Name System (DNS) queries per day, with each query representing an instance of an Internet user accessing a Web site or through sending email. The VeriSign DNS continued to maintain 100% operational accuracy and stability throughout 2007 - just as it has for the past decade.

The VeriSign Domain Report – June 2008 >>

Interestingly, every OpenID is also a URL that means the use of OpenID naturally requires the services of VeriSign's DNS.

Potentially, VeriSign could track OpenID users across the Internet. This could be seen as a positive thing because it would be a way to authenticate users according to their activities and make it difficult for others to engage in illegal activities around OpenID.

There is also a possible negative privacy issue since Americans are extremely sensitive to any type of tracking IDs even though normal Internet use already provides a plethora of tracking technologies through cookies and other means.

A privacy issue . . .

I asked Mr Rosch if VeriSign's DNS business could be combined in some ways with its OpenID services. He agreed that this could be an issue if VeriSign did that but he assured me that the company's very strong privacy regulations would not allow such a business combination.

Still, it seems that the two could be combined for positive purposes, after all, VeriSign's OpenID services already require the use of VeriSign's DNS system.

Could there be a potential privacy issue here? Or could a close interface between secure OpenID services and the Internet's core directory produce a more secure system of protection and authentication for OpenID and encourage its use?

Let me know what you think.