[OpenID] Localhost OpenID

Rabbit xageroth at gmail.com
Wed Dec 13 15:24:45 UTC 2006 

Nearly a year ago I brought up a concern and was seemingly alone on
this point so I stepped aside hoping as things developed I would have
my mind changed. I now think it really is just a difference in
philosophy so I wanted to bring this up again to see what others
think.

The best way I know to illustrate the concern is to argue for
localhost OpenID. Right now using localhost for your OpenID is
impossible because it's a local network address and is also different
for every single machine. Even though the transactions between a web
service and identity provider leverages the *users* line of
communication, the URL is very important to OpenID. So would it be
possible to use localhost? Yes, if OpenID were concerned about
identity as a resource instead of identity as a URL.

There is a big difference between a resource and a URL but OpenID is
resource ignorant. Any URL that resolves to 64.233.187.99 is still
Google. If any of the URL's change or even the IP address, the
identity that *is* Google is not completely bound by these terms. The
important thing is the resource not how we find it. In terms of OpenID
the URL can be changed with a juggling act but the emphasis is never
taken off the URL there is no "identity resource" we're hoping to find
or that exists independant from it's locator.

Don't get me wrong I'm a very big supporter of using URL's as the
identifier, but only as something human usable. If a URL resolved to a
public key, for example, web services could cease to care about URL's
altogether. If a user changed identity providers, the web services
would never have to work to reclaim their users accounts, to the web
service, the identity being handled has not changed because the
resource is the same. Along with all that, a user could use their
vanity domain as their public face and localhost as their identity
provider. "localhost/jane" would be different from all other
"localhost/jane"s because the resources would be verifiably different.
You could easily carry your identity provider with you in your pocket
on a USB drive.

What could be more decentralized than that?

Maybe I just don't get it.

-- 
Rabbit

More information about the general mailing list