<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1959749582;
mso-list-template-ids:161127404;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What I’d say to (1) is that while a URL may be under the
control of DNS, a URI isn’t.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If we consider the parallel to namespaces, and in particular how
Xml Schema uses them, all a URI does (in theory) is guarantee global uniqueness
and a hint on what to do to discover the schema.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In fact the resolution of the actual schema is implementation
dependent. If OpenID were to use a similar concept so that an OpenID does
nothing other than guarantee uniqueness but how that is resolved and ultimately
mapped to a *<b>real</b>* OpenID (i.e. where you log in) than there may be less
of an issue and you could have a portable, somewhat abstract, OpenID –
your own unique identity.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>A bit more thought to achieve that but nothing more than the
discussions that have occurred thus far.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Andrew
Arnott<br>
<b>Sent:</b> 30 October 2008 20:51<br>
<b>To:</b> OpenID List<br>
<b>Subject:</b> [OpenID] On the portability of identifiers<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>Let me prelude this email with the sincere hope I have that
OpenID can succeed. But it has a problem, as I see it, that I'm
interested in hearing people's take on.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<p class=MsoNormal>First, let's review that there are 2 actual Identifier
types, with a possible 3rd:<o:p></o:p></p>
<div>
<ol start=1 type=1>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>URIs<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>XRIs<o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>Possibly email addresses in the future.<o:p></o:p></li>
</ol>
<div>
<p class=MsoNormal>DNS admins/domain name owners ultimately control URIs and
email addresses, which puts them at risk of domains being canceled or evil DNS
admins.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>XRIs are not supposed to be so-controlled. If big OPs
like Yahoo would host XRIs instead of URIs, <span class=apple-style-span><i>and
if</i></span> those XRIs were guaranteed to be resolvable and completely
under my own control even after I leave Yahoo or Yahoo goes out of business, <span
class=apple-style-span><i>then</i></span> we have a solution I would find
acceptable.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Currently, if I were to recommend my Mom get an openid, I
would not trust her to find herself an OpenID Provider that would likely be
around in 5 years... let alone 30. Every business on the Internet <span
class=apple-style-span><i>may</i></span> be gone in 30 years. Let's
assume you can't guess a Provider that will last that long. That's fine
for you and me, because own our own domain names and use XRDS files and such so
that our identity is "portable" on the Internet. But that's way
too complicated for 99% of the users out there. A service might crop up
that offers this OP indirection service in an easy-to-use interface, but that
itself is a risk of something that might go out of business and then what does
Mom do!<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>XRIs are the only hope OpenID has of being <span
class=apple-style-span><i>reliable, </i></span>in my opinion, because of the
risk to the average user of the Provider being pulled out from under them.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Short of solving these problems, I can't help but think that
Cardspace/X.509 or similarly user-hosted identities will eventually be the only
solution. The problem with these alternatives today is that they are
harder for RPs to support, and the client certificates themselves aren't
portable for Mom, in that if she uses someone else's computer she can't log in
with her certificates. But thumb drives have become nearly ubiquitous.
Once they come with smart chips that manage certificates in a secure
manner even when plugged into untrusted computers, and the UX for them improve,
then nothing technologically stands in their way of replacing OpenID since
there is no risk of a Provider going out of business and taking Mom's identity
down with it.<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>