-
Copyright © 2020, Identity Plus Inc.
New Hampshire, USA
All rights reserved
Please consult this page for questions already asked.
If you you do not find an answer here you can have your
question answered by support here.
Identity+ introduced the concept of trust sponsor, which may be any web site you authenticate to via identity+.Your trust sponsors are listed on your public profile by domain. No aditional information is presented therefore all this tells is that you have an account with that service. While this exposes no information about your person it is sufficient for a service to establish that you are a trustworthy individual and not a malicious bot: company A knows you have an account at company B, whom they trust, therefore they can trust you too. The more sites you have on your list of sponsors, the more trustworthy those sites are, and the more they trust you (see trust score), the more trustworthy you become.
With Identity+, whenever you do business with a site (a good comment, a purchase, a blog post, anyhing that helps their business) they have the possibility to award you with trust points which accumulate on your identity+ account. These are simple numbers that are averaged and aggregated in such ways as to show, in an anonymous manner, that you are an upstanding member of the society. Calculations are done in such ways that no one site can have too much influence on it. This means it is better to be somewhat trusted by many sites than be very trusted by one and not at all by many.
This is exactly the opposite to the trust score. Whenever an Identity+ certificate performs an uncivil action, businesses have the ability to signal that to Identity+, so we can take action. We started from the assumption that normal people will not engage in such activities and whoever does, is either a malicious entity or somebody who lost their certificate. This way we can block malicious behavior and notify the rightful owners of the certificate so that he or she may take the appropriate action.The intruder score is calculated in a similar manner. A singular or rare event does not have a lot of weight, but repeating uncivil behavior will result in a blocked identity+ accont.
Your public profile is your trust passport. It is meant to contain no personal or behavioral specifics but at the same time differentiate malicious entities from upstanding individuals. It is accumulated with time and it is a distilled representation of the trust a community of businesses place in you. It is the essence of the distributed trust model. Because creating a good public profile requires sustained civil behavior it is an excellent differenting factor that qickly separates nice people from malicious entities. Well intentioned people will build a great profile at no additional effort by simply going about with their lives, something malicious entities will be unable to do.
An SSL Client Certificate is an extremely powerful tool. It endows every browser with an unforgeable cryptographic identity, alowing services to lock your on-line accounts onto your devices so that nobody can log in from anywhere else.Because creating a good public profile requires sustained civil behavior it is an excellent differenting factor that qickly separates nice people from malicious entities. Well intentioned people will build a great profile at no additional effort by simply going about with their lives, something malicious entities will be unable to do.
No. Identity+ is extremely privacy oriented. We do not reveal anything about you to anoybody, not even third parties. In fact we do not even reveal the the name of your identity+ account or the device you connect from (Desktop, Mobile, etc). Businesses who identify you through our service place uinque identifiers in our databases which they receive back only when the proper certificate is present. Since you are free to change your certificates as often as you like it would be very hard for anybody to track you, other than the way they are allowed to.
Identity+ is not an Authorization mechanism, it is an Authentication mechanism (See next question), therefore it would be more appropriate to compare Identity+ with OpenID, rather than different versions of OAuth. Additionally, Identity+ operates on completely different paradigms than either these standsards. The Public / Private key cryptography used by identity+ give servers the possibility to identify client browsers without any redirects. These are mechanisms OAuth and other Authentication / Authorization standards were not built to handle, therfore a new API was necessary.
Identity+ neither compatible or incompatible, it is different. It operates on different layers in the protocol stack, and therefore they do not interfere. In theory you could in fact use them both within your system, to have both application authorization and secure authentication. If however you use OAuth purely for authentication, the two mechanisms would be redundant with respect to each other.
Copyright © 2020, Identity Plus Inc.
New Hampshire, USA
All rights reserved