What's an authenticated identity?

Must be my day to ponder security topics... not usually my favorite realm.

I noticed that SixApart, makers of the popular MovableType and TypePad weblog softwares (truth-in-advertising: this blog uses MovableType) is touting their upcoming entry into providing authentication services, called TypeKey. The ostensible purpose of TypeKey is to be a free, open system providing a central identity that anyone can use to log in and post comments on blogs and other web sites. The idea is that this will cut down on comment spam in weblogs around the globe.

I was wondering how exactly they're planning on verifying the identity of the users before granting them authentication credentials. For instance, can I claim to be Steve Jobs and then post comments all over? Or will I have to prove my identity?

And just when I was wondering about that came a posting in Jon Udell's weblog about How to forge an S/MIME signature that takes Thawte to task for providing digital signing certificates with no proof of identity that enable just this kind of spoofing.

The bottom line- proof of digital identity is not something that is easily accomplished, especially outside the realm of formal organizations. That's why we make students come in person to show picture identification before resetting their passwords on accounts which can be used for anything from email to direct-deposits on students loans.