[OpenID] On the portability of identifiers

Steven Livingstone-Perez weblivz at hotmail.com
Thu Oct 30 21:28:54 UTC 2008 

What I'd say to (1) is that while a URL may be under the control of DNS, a
URI isn't.

 

If we consider the parallel to namespaces, and in particular how Xml Schema
uses them, all a URI does (in theory) is guarantee global uniqueness and a
hint on what to do to discover the schema.

 

In fact the resolution of the actual schema is implementation dependent. If
OpenID were to use a similar concept so that an OpenID does nothing other
than guarantee uniqueness but how that is resolved and ultimately mapped to
a *real* OpenID (i.e. where you log in) than there may be less of an issue
and you could have a portable, somewhat abstract, OpenID - your own unique
identity.

 

A bit more thought to achieve that but nothing more than the discussions
that have occurred thus far.

 

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Andrew Arnott
Sent: 30 October 2008 20:51
To: OpenID List
Subject: [OpenID] On the portability of identifiers

 

Let me prelude this email with the sincere hope I have that OpenID can
succeed.  But it has a problem, as I see it, that I'm interested in hearing
people's take on.

 

First, let's review that there are 2 actual Identifier types, with a
possible 3rd:

1.	URIs
2.	XRIs
3.	Possibly email addresses in the future.

DNS admins/domain name owners ultimately control URIs and email addresses,
which puts them at risk of domains being canceled or evil DNS admins.

 

XRIs are not supposed to be so-controlled.  If big OPs like Yahoo would host
XRIs instead of URIs, and if those XRIs were guaranteed to be resolvable and
completely under my own control even after I leave Yahoo or Yahoo goes out
of business, then we have a solution I would find acceptable.

 

Currently, if I were to recommend my Mom get an openid, I would not trust
her to find herself an OpenID Provider that would likely be around in 5
years... let alone 30.  Every business on the Internet may be gone in 30
years.  Let's assume you can't guess a Provider that will last that long.
That's fine for you and me, because own our own domain names and use XRDS
files and such so that our identity is "portable" on the Internet.  But
that's way too complicated for 99% of the users out there.  A service might
crop up that offers this OP indirection service in an easy-to-use interface,
but that itself is a risk of something that might go out of business and
then what does Mom do!

 

XRIs are the only hope OpenID has of being reliable, in my opinion, because
of the risk to the average user of the Provider being pulled out from under
them.

 

Short of solving these problems, I can't help but think that Cardspace/X.509
or similarly user-hosted identities will eventually be the only solution.
The problem with these alternatives today is that they are harder for RPs to
support, and the client certificates themselves aren't portable for Mom, in
that if she uses someone else's computer she can't log in with her
certificates.  But thumb drives have become nearly ubiquitous.  Once they
come with smart chips that manage certificates in a secure manner even when
plugged into untrusted computers, and the UX for them improve, then nothing
technologically stands in their way of replacing OpenID since there is no
risk of a Provider going out of business and taking Mom's identity down with
it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081030/6ef7a651/attachment-0002.htm>

More information about the general mailing list