Why Are Google and Verizon Fighting Over The TPM Chip In Your Phone?

I’ll give you a hint: it’s not about using NFC to exchange business cards, and it’s not even primarily about mobile payments. Why does Google want the TPM/NFC module in your phone integrated into the phone, and Verizon wants it in the SIM card? Simple: Identity ecosystem lock-in. Verizon and Google both have a huge vested interest in providing you with an electronic identity which you can use to execute high-stakes transactions. The only good way to do that for the general public is by putting a TPM chip in everyone’s phone and wirelessly provisioning high-assurance credentials to it via their trusted service manager of choice (much like “The Highlander,” there can be only one in control of the keys for each TPM, and they each want it to be theirs).

Why do I think this? Take a look at the OIX-certified FICAM Trust Framework-approved list of identity providers. What do you notice? Verizon is LoA 1, 2 and non-crypto 3 approved, and Google is LoA 1 approved but likely wants to be at LoA 2 and 3. Why is Verizon at LoA 2 and 3? Because they have a very well-established business relationship with their customers. They know, with a high degree of assurance, who they are. How will Google establish this high-assurance relationship with their customers? Google Wallet, Google Voice and their controversial “Real Names” policy.

So why do these companies want to be your default high-assurance identity provider? Simple: vendor lock-in. Can you imagine a more powerful lock-in effect for a specific platform than the one created when you not only use it for all your financial transactions, but also to open all the high security physical doors you use? With the advent of cloudsourced security, we aren’t just talking the front door of your house or starting your car. Your workplace will likely soon move to outsourced identity for login to your workstation, access to the VPN, and even the doors to the data center. Why? It’s much cheaper and easier (and less risky) to sign a contract with Verizon or Google to provide this service than to hire the people and purchase the infrastructure to manage it yourself. It’s also much less cumbersome to use a phone which everyone in the company normally already carries, than to set up some kind of expensive and cumbersome smart card system.

So which vendor will companies buy high-assurance identity from? The one with the largest installed base.

An Idea For Remote Proofing and InCommon Silver

The InCommon Silver assurance profile has a section that allows for remote proofing of identity subjects. Many people I’ve asked about this are saving this section for “later” and aren’t going to try to do remote proofing to begin with. Someone said something to me the other day about the availability of notaries that makes me think this is possible to do in a not too terribly difficult way. Here’s the relevant section of the assurance profile:

4.2.2.4.3 Remote proofing
1. The RA shall establish the Subject’s IdMS registration identity based on
possession of at least one valid government ID number (e.g., a driver’s license or
passport) and either a second government ID number or financial account
number (e.g., checking account, savings account, loan or credit card) with
confirmation via records of either number.
2. The RA verifies other information provided by the Subject using both of the ID
numbers above through record checks either with the applicable agency or
institution or through credit bureaus or similar databases, and confirms that:
name, date of birth, and other personal information in records are on balance
consistent with the application and sufficient to identify a unique individual. If
this appears to be the case, the RA authorizes issuance of Credentials.
3. If the record checks do not confirm the Address of Record, it must be confirmed
as described in §4.2.2.5 below.

Note that it says if you can’t confirm the information provided via record checks, you have to register the subject via the address of record. Everyone seems to be focusing on the technical problem of verifying the source document numbers via Equifax or other credit bureaus, and/or state motor vehicle registries. I think people are so shocked by this requirement that they’re misdirected away from the critical pieces here:

1) You only need to register the facts of the documents presented – you can do that via notaries public that are available free of charge for customers at all banks in the US.

2) You can confirm the identity of the individual by delivery of a registration secret to an address of record. What is an address of record?

Conveniently, section 4.2.2.5 (2)(b) says:

For an electronic Address of Record, the RA confirms the ability of the Subject to receive telephone communications at a telephone number or e-mail at an e-mail address.

So you can just e-mail them a short-lived registration bearer token after you receive their notarized paper form containing their identity documentation back. Can it really be that simple?  An idea for some legalese to include on the form (I am not a lawyer) might be:

I hereby declare that the e-mail address supplied on this form by me is a valid email address that is acceptable for use in official communications with me.  I am the only person who has access to this email address.

Update: 5/30/2012: Thanks to Mark B. Jones for this interesting international tidbit on consular services and the notary function: http://travel.state.gov/law/judicial/judicial_2086.html