Today's login and registration systems may as well shout "Surrender!" rather than asking a user for their name and password or some other combination of identity information.
"I think the really important part of this notion is that there is contractual negotiation before the exchange of valuable goods," says Blakley, director of security innovation at Citigroup. "That happens in the real world but it's not what happens in the identity world. If I accept that identity information has value, then we need to behave like grown ups and treat this the way the real world treats other negotiations."
Blakley describes the scenarios like this: Instead of a user name and password, the end-user provides the relying party website with a pointer to the end-user's identity information. The web site goes to the pointer and makes an offer. The end-user might agree to supply their information for a price, refuse to deal with the website at all or agree to give up all or a sub-set of their identity data in exchange for using the Web site or service.
"The idea is a negotiation among equals rather than an act of repression," said Blakley. "Passing a pointer instead of data can fix our current problems and be made to create a single interface for both registration and authentication. That's it in a nutshell."
The current reality has Websites as the power brokers and end-users often the victims. "So in light of all the NSA news last week, it's pretty clear that the current identity exchange is flawed and we should be doing more negotiating, all the way to the transaction level."
Blakley says there are already implied contracts that the user accepts by visiting a website, "but there are not terms going back in the other direction."
He wants people thinking about their identity data as a valuable asset and to treat it like they would cash, diamonds or other valuables.
Such a negotiation system, Blakley says, protects the user and helps prevent third-parties from collecting and using their personal information.
The negotiated contracts could include restrictions on what the relying party website could do with a user's information. "The main problem that could be avoided is the use, without consent, of identity information by third-party advertisers."
Blakley says infrastructure does not have to be ripped up, but instead complemented by a new client-side API for authentication that carries with it new abstract protocols. He said it could easily be implemented with OAuth and other protocols.
Having explicit consent-to-use is very powerful," Blakley said. "People today are relying on implicit consent and that invites legal challenges."