Comments on: Internet Identity Workshop 2006b and MicroID

By: James

James — Tue, 12 Dec 2006 20:01:37 +0000

Would love your thoughts on http://identityaccessmanagement.blogspot.com/2006/12/federated-authorization-and.html

By: Fred

Fred — Wed, 06 Dec 2006 13:23:42 +0000

Oh, and the purpose of the hash isn’t just obfuscation – it is to create a single reference that contains a join of the URI and the claimed URL. This is essential for decentralized claims because the hash contains both of the elements important to the claim. Once you start verifying multiple comm URI’s this just makes life a lot easier for verifiers (so instead of having to build a case if openid do this, if xri do this, it just finds a standard microid and compares). It is a slightly nominal rule but it makes sense.

Damn I wish I was at this session.

By: Fred

Fred — Wed, 06 Dec 2006 13:11:53 +0000

The situation you describe is just a microid claim w/o a hash. It is the exact same principle. The reason we hash is to build a identifier out of the claimed URL and the communication identifier. In the openID situation all a web service is doing is putting a “trusted” openID on the page, which is fine. If people want to claim via OpenID I don’t see a problem with it.

But the reason MicroID is nicer is 1) it is simpler because it doesn’t require openID integration (i.e. ibiblio.org/fred is a long way away from being openID enabled, but it is easy for me to put a hash in the head) 2) the MicroID namespace already handles things like OpenId (you can put any communication URI in the hash – email, OpenID, XRI…). So in that sense OpenID is already built into MicroID.

So I don’t think you’re missing anything, you’re just blessing one form of communication URI over another. Think about it – you could just publish verified email addressess too, they have the same power in terms of authentication as an authenticated OpenID does.