[OpenID] Recycling OpenIDs (Was: What's broken in OpenID 2.0? (IIW session))

Dick Hardt dick at sxip.com
Mon May 14 02:21:38 UTC 2007 

On 13-May-07, at 6:59 PM, rajeev wrote:

> Martin Atkins <mart <at> degeneration.co.uk> writes:
>
>>
>>    A) Identifiers for authentication. This is to do with preventing a
>> subsequent identifier owner from accessing data created by prior  
>> owners.
>>
>>    B) Identifiers for identification. This is to do with figuring  
>> out who
>> actually did something given only an OpenID identifier as  
>> attribution.
>>
>> As you correctly point out, XRI solves A by having a "canonical id".
>> However, unless I'm mistaken it doesn't solve B.
>>
>> That's not to say I don't believe solving A alone is valuable,  
>> though. I
>> still think that finding a way to adapt XRI synonyms to provide  
>> similar
>> functionality for HTTP URLs is worthwhile, though of course due to  
>> the
>> nature of the beast it would necessarily tie the user to whatever  
>> entity
>> provides the canonical URL.
>>
>
> I have been following the XRI and OpenID technologies with much  
> interest and
> I have never felt caught up enough to actually post anything. But  
> reading
> this thread, I felt the urge to respond:
>
> It appears to me that in this problem aspect, we have a workable  
> framework in
> XRI that we should build upon. Am I misunderstanding when I say  
> that it
> appears that we are trying very hard not to admit that XRI has  
> something to
> offer here and re-invent the wheel ?
>
> a) Identifiers for authentication: you have an i-number that never  
> changes.
> Authentication should/is does using that i-number so there is no  
> case of
> mistaken identity.
>
> b) Identifiers for identification: the canonical id for an i-number  
> is an
> i-name.
>
>    - PersonA signs up for an i-name called =persona. In the  
> background,
> Person A was actually given an i-number which is permanent
>
>        =persona -> =!1000.a1b2.93d2.8c73
>
>    - I sign up to flickr and have some objectionable content there
>
>    - 2 years later, PersonA gets a new i-name after marriage/ 
> whatever and
> wants  a new i-name to show off. From what I understand, one can  
> get a new
> i-name and still map it to one's own unique i-number.
>
>    PersonA's new i-name is =PersonMarriedName
>
>    Still, =PersonMarriedName -> =!1000.a1b2.93d2.8c73
>
>    The original i-name (=persona) is recycled and is tied to a new  
> i-number.
>
>
> Call me a newbie and explain what I am missing here ?

XRI does have something to offer, but also has what I consider a  
number of disadvantages:

+ I can click on a URL in a browser and it opens a web page. I can't  
do that with an XRI today.

+ Anyone with a domain name can create as many OpenIDs as they want

+ i-names cost real money. Many people and organizations already have  
everything they need to have an OpenID.

+ I-names introduce a brand new directory and infrastructure.

+ how you prove that *you* are the one that controls the i-number is  
a critical point of failure

I am reluctant to point out the issues with XRIs. I am biased against  
them and don't think they add much vale, *but* I am willing to let  
the market decide and be proven wrong. Per my proposal, I think we  
can provide similar value with URLs.

More information about the general mailing list