Okay, all you identity gurus. (And I know you’re reading!) Here’s today’s challenge for you. For the new project we need to make sure we have authorization to record and publish tens of thousands of events every year from all over the world. How can we be reasonably certain that the person who gives us such permission is who they say they are and that they’re authorized to grant such permission?

It’s easy on the relatively small scale of IT Conversations. We have a written contract with each of the events we publish. But that’s not scalable worldwide and with the volume we anticipate.

I thought of one way we could do this, based upon the technique that Technorati uses to allow someone to claim an RSS feed. To demonstrate that the person has some association with an event, we could require that they add some invisible unique string to the HTML of one of the web pages associated with the event. We parse the HTML, find the secret string and close the authentication loop. The only problem is that we’re then limited to events with an on-line presence.

Got any better ideas for this one?