[OpenID] On the portability of identifiers

Martin Atkins mart at degeneration.co.uk
Thu Oct 30 21:18:58 UTC 2008 

I don't disagree with your sentiment here. There are two ways to fix this:

  * Find a way to make URLs and email addresses portable like XRIs.
  * Promote XRI and get it adopted on a broad scale, rather than just by 
early adopters.

To be honest, at this juncture I find the first of these more attractive 
than the second. While XRI is a nice concept and I don't disagree that 
it solves some interesting problems, it's clearly having trouble getting 
adoption and unless someone has a great idea on how to get it more 
adopted I'm going to have to take the attitude that URLs and email 
addresses are what we've got and we need to make the best of them.

I'd like to think that there is a way that we can take some of the great 
ideas from the XRI specifications and apply them to URLs and email 
addresses, rather than throwing away everything and starting again.

(Sorry Drummond! :) )

Andrew Arnott wrote:
> Let me prelude this email with the sincere hope I have that OpenID can 
> succeed.  But it has a problem, as I see it, that I'm interested in 
> hearing people's take on.
> 
> First, let's review that there are 2 actual Identifier types, with a 
> possible 3rd:
> 
>    1. URIs
>    2. XRIs
>    3. Possibly email addresses in the future.
> 
> DNS admins/domain name owners ultimately control URIs and email 
> addresses, which puts them at risk of domains being canceled or evil DNS 
> admins.
> 
> XRIs are not supposed to be so-controlled.  If big OPs like Yahoo would 
> host XRIs instead of URIs, and if those XRIs were guaranteed to be 
> resolvable and completely under my own control even after I leave Yahoo 
> or Yahoo goes out of business, then we have a solution I would find 
> acceptable.
> 
> Currently, if I were to recommend my Mom get an openid, I would not 
> trust her to find herself an OpenID Provider that would likely be around 
> in 5 years... let alone 30.  Every business on the Internet may be gone 
> in 30 years.  Let's assume you can't guess a Provider that will last 
> that long.  That's fine for you and me, because own our own domain names 
> and use XRDS files and such so that our identity is "portable" on the 
> Internet.  But that's way too complicated for 99% of the users out 
> there.  A service might crop up that offers this OP indirection service 
> in an easy-to-use interface, but that itself is a risk of something that 
> might go out of business and then what does Mom do!
> 
> XRIs are the only hope OpenID has of being reliable, in my opinion, 
> because of the risk to the average user of the Provider being pulled out 
> from under them.
> 
> Short of solving these problems, I can't help but think that 
> Cardspace/X.509 or similarly user-hosted identities will eventually be 
> the only solution.  The problem with these alternatives today is that 
> they are harder for RPs to support, and the client certificates 
> themselves aren't portable for Mom, in that if she uses someone else's 
> computer she can't log in with her certificates.  But thumb drives have 
> become nearly ubiquitous.  Once they come with smart chips that manage 
> certificates in a secure manner even when plugged into untrusted 
> computers, and the UX for them improve, then nothing technologically 
> stands in their way of replacing OpenID since there is no risk of a 
> Provider going out of business and taking Mom's identity down with it.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list