[OpenID] [LIKELY_SPAM] On the portability of identifiers

[Peter Williams]

I see the lack of xri servce at yahoo as an opportunity.

Any rp that accepts/uses a yahoo openid may now add to its xri server (under its "walled garden" namespace, that xri query syntax handles just fine) an entry - mapping xri to the yahoo openid.


Freeid*lockbox maps to homepw.myopenid.com (a freeid accesspoint). As I recall, plaxo could resolve it fine - tho there is no authoritative relatioship between yahho and freeid.

If freeid offer trusted xri, they might sign ONLY when they previously used the verisign/netsol dnssec sigs for the domain component of the url.

Thus the xri becomes the/a trust model.

Obvioulsy https/certs can replace xri signatures, too....

________________________________
From: Andrew Arnott <andrewarnott at gmail.com>
Sent: Thursday, October 30, 2008 5:11 PM
To: OpenID List <general at openid.net>
Subject: [LIKELY_SPAM][OpenID] On the portability of identifiers

Let me prelude this email with the sincere hope I have that OpenID can succeed.  But it has a problem, as I see it, that I'm interested in hearing people's take on.

First, let's review that there are 2 actual Identifier types, with a possible 3rd:

 1.  URIs
 2.  XRIs
 3.  Possibly email addresses in the future.

DNS admins/domain name owners ultimately control URIs and email addresses, which puts them at risk of domains being canceled or evil DNS admins.

XRIs are not supposed to be so-controlled.  If big OPs like Yahoo would host XRIs instead of URIs, and if those XRIs were guaranteed to be resolvable and completely under my own control even after I leave Yahoo or Yahoo goes out of business, then we have a solution I would find acceptable.

Currently, if I were to recommend my Mom get an openid, I would not trust her to find herself an OpenID Provider that would likely be around in 5 years... let alone 30.  Every business on the Internet may be gone in 30 years.  Let's assume you can't guess a Provider that will last that long.  That's fine for you and me, because own our own domain names and use XRDS files and such so that our identity is "portable" on the Internet.  But that's way too complicated for 99% of the users out there.  A service might crop up that offers this OP indirection service in an easy-to-use interface, but that itself is a risk of something that might go out of business and then what does Mom do!

XRIs are the only hope OpenID has of being reliable, in my opinion, because of the risk to the average user of the Provider being pulled out from under them.

Short of solving these problems, I can't help but think that Cardspace/X.509 or similarly user-hosted identities will eventually be the only solution.  The problem with these alternatives today is that they are harder for RPs to support, and the client certificates themselves aren't portable for Mom, in that if she uses someone else's computer she can't log in with her certificates.  But thumb drives have become nearly ubiquitous.  Once they come with smart chips that manage certificates in a secure manner even when plugged into untrusted computers, and the UX for them improve, then nothing technologically stands in their way of replacing OpenID since there is no risk of a Provider going out of business and taking Mom's identity down with it.