Both Fred and the MicroID blog have the news:

MyBlogLog has just started publishing MicroIDs (and FOAF) for member pages at http://www.mybloglog.com/buzz/members/username.

And…

WeeWar has also started publishing MicroIDs and some XFN. You can see Alexander Kohlhofer’s profile at http://weewar.com/user/alex.

MyOpenID

First, I see that MyOpenID has implemented MicroID. Excellent implementation. They allow you a lot of control over how your information should be shared – and with your confirmed email addresses, they publish MicroID for others to be able to better confirm it’s really you.

Plaxo

Second – Plaxo has rolled out their canonical myplaxo.com URLs for each user. Before, the myplaxo.com space autoforwarded to an ‘add me’ page for each user. This was less than perfect for MicroID since MicroID calculates hashes based on the displayed URL in the browser.

With a tweak to the apache configuration at Plaxo, the URLs are stable and Joseph got it working to spec and now things are humming.

Plaxo publishes a MicroID for each of the verified email addresses in your account.

Good stuff.

Digg

In another strong showing for the spec – this morning, Digg rolled out MicroID on their user pages as well. You can see them on any user page at http://digg.com/users/username. Additionally, Digg has taken the interesting new approach to publishing MicroIDs in their responses to API calls as well. A request for developer Steve Williams’ profile via the API produces:

<?xml version="1.0" encoding="utf-8" ?>
<users timestamp="1201200757" total="1" offset="0" count="1">
 <user name="sbwms" icon="http://digg.com/users/sbwms/l.png" registered="1135702996" profileviews="14706" fullname="Steve Williams" microid="mailto+http:sha1:e945976887f47a4ae2bc20dace1a3e4a3808143c">
  <link href="http://www.baychi.org/" description="BayCHI" date="1190263703" />
  <link href="http://www.nuqu.org/" description="Moffett Blog" date="1190263688" />
  <link href="http://www.sbw.org/" description="Home Page" date="1190263641" />
 </user>
</users>

Excellent work all around – this Data Portability thing is actually going to happen one day.

Rickard committed my tweak to the PunBB 1.3 codebase to be MicroID compatible with version .3 of the spec.

The changeset is here.

He has implemented node-level and comment-level MicroIDs that appear both in the meta tags of the page and are then rendered into the node divs and comment divs directly via jQuery.

The jQuery is fired via javascript after the DOM is loaded, so currently, DOM-unaware spiders/parsers will not be able to see the node and comment-level MicroIDs. That said, I’m not aware of any MicroID parsers that aren’t working only at the page level (full URL, not sub-content *on* the page).

Additionally, the Drupal-generated user profile pages have MicroIDs.

His implementation is live on his site – Digital Spaghetti.

His code can be found on the Drupal site – Drupal MicroID module.

Congratulations to Tane – and well done.

This draft expires Feb 8, 2008 after which it may continue down the road to RFC.

Peter’s announcement on the MicroID blog:

By popular demand, we have submitted the MicroID specification as an Internet-Draft. Eventually this effort may result in publication of an Informational RFC defining the technology. Please send feedback to the mailing list and we’ll update or clarify the spec accordingly.

OpenID is in the air, and providing services across domains will become very important very soon. I think we’re still about six months out from the Big Bang. August. I’m calling it.

Verification underlies Identity. Identity underlies claims about a person. Aggregated claims underlie the reputations we ascribe to people. With reputation, we can do really cool stuff. And it’s coming…

Cross-posted at claimID proper:

ClaimID allows real people to aggregate what is online about themselves. It allows them to bring links together, sort them, talk about them, and generally refocus their online identity on their own terms. We’ve had great success so far in getting that message out – and the feedback we’ve received has been positive. People really like the empowerment and are pleased when their claimID page begins to appear in the search results for their name.

But we also want to convey that these links are validated – verified in some way. So we introduced MicroID and OpenID to our system. Since that time, people have been pointing to their own websites, their own blogs, and their own OpenIDs hosted at other Identity Providers (AOL, Verisign, JanRain, Livejournal, etc.). And with all of those identities, it made sense for us to create a trusted place for you to aggregate them.

Verified Page

Today, we launched a special page for each person that brings these verified links into greater focus. The verified information about a person is presented all on one page, in one place – and you can be sure that these links are maintained by the person who owns the claimID account because of the math behind the scenes. MicroID and OpenID are based on strong hashing algorithms and cryptography and have been designed to validate and verify claims – just the sort of thing we’re doing at claimID.

Our pages are at:
- http://claimid.com/terrell/verified
- http://claimid.com/fred/verified

They’re very clean and very powerful.

Once you find someone’s claimID Verified Page, you can be pretty sure that who you’re reading about at claimID is the same person at all those other sites. This allows us to really begin to tap into the power of distributed identity and maybe even hint at some uses for basic reputation across disparate websites. Of course, if you don’t want to display your verified identity, you can easily turn this off in your account settings.

We’re not done with online reputation yet, but the single verified page at claimID is a very strong early step.

A great many things have happened since then. Higgins is now demoing live open source implementations of a variety of tools, including Bandit, around the newly announced OpenID 2.0 spec. We have full OpenID 1.1 libraries in all the major programming languages. OpenID 2.0 code should be rolling out within a couple weeks from a number of the vendors here. Dick Hardt of Sxip demoed the newly announced Sxipper Firefox plugin. There was a Safari InfoCard Selector demo complete with modal overlays. There were a surprising number of demos (Java, even) fully functioning with versions of Microsoft’s CardSpace (coming baked into every copy of Vista in a few short months). Avery Glasser of VxV Solutions demoed his company’s voiceprint technology fully integrated and interoperable with OpenID. JanRain demoed their new BotBouncer site designed to serve as a centralized CAPTCHA repository so users can know a particular OpenID has passed a humanness test.

I also ran a session this morning on MicroID and how it works as a lightweight verification method for claiming a webpage (and eventually a part of a webpage). I received a variety of questions about SHA1 and it’s being broken back in February of 2005 as well as the MicroID not being a true HMAC. The answers, as best I could describe them, hinge on the fact that these are not true secrets being hashed and passed around for MicroID. We’re only using hashing in the first place to try and obfuscate the email address of the user – not protect any nuclear secrets.

Additionally, Dick Hardt posed a question that forced me to step back and reconsider a couple things about MicroID.

He asked, if you’ve got an OpenID, couldn’t you just use it as the communication identifier itself and skip the hashing step (which exists to obfuscate the email for publication purposes)?

Of course, he’s right about this. If a site has decided they want to play along with all of this fancy identity stuff and expose something which allows others on the internet to verify claims that their users are the same person at a different service, why would they pick to expose MicroID if they could just implement OpenID and expose it instead?

The answer, I think, is mostly that it’s easier to do MicroID today (it’s just a hash). But in the long run, once OpenID is in a lot more places and a lot more visible to everyone online, it will probably be just as easy to simply include a user’s verified OpenID in the head of their page – no hashing – no obfuscation necessary.

Something like this:

<meta name=”openid” value=”http://claimid.com/terrell”>

Then, other sites can simply check to see that they, too, have independently verified that particular OpenID and ‘connect’ the accounts.

Just like MicroID does today.

In fact, I’m proposing here that MicroID be tweaked to include the opportunity to do just this. Declare as part of the spec the publishing standard for publishing OpenIDs as well as MicroIDs for public consumption.

Perhaps claiming a blog comment would be easy if it looked something like this:

<div class=”openid-http://claimid.com/terrell”>

It seems simple enough and allows these simple claims to be made as the technology matures beyond simple email addresses as communication identifier.

MicroID specifies for the first part of its hashing formula to be any communication identifier, but if it’s an OpenID specifically, or i-name, it doesn’t need to be obfuscated and hidden from view.

Thoughts? What am I missing? Are there use cases where someone/someservice would still want to obfuscate the OpenID? Should it ever not be public?

2006/10/24 00:50:39 EDTAs a little side project I got interested in adding a MicroID extension for MediaWiki. MicroID is a teensy little format for asserting that the owner of a particular Web user account is also the owner of another account (like an email account or an OpenID). Adding support to MediaWiki means that Wikitravel users can verify their accounts with claimID or other similar services. Fun stuff, relatively easy, and useful for everyone — the best kind of hacks.

Behold: http://www.mediawiki.org/wiki/MicroID_extension

I have confirmed that user pages at del.icio.us are now publishing MicroIDs in their headers and can be claimed accordingly. Another stick on the pile.

Slowly we’re making progress…

Update: The MicroID blog catches on as well.

The release description:

This mod will display a MicroID ( http://microid.org ) on a user’s profile in the head tag. This mod allows a user’s profile to be ‘claimed’ by a third party that has independently verified the user’s email address and is also calculating MicroIDs. When the MicroIDs match, the third party can be assured this is the same ‘person’. Help your users share their identities across sites with MicroID: http://microid.org

My other mods are:

• Email Digest
• Expertise

Update: A half-a-day later – 1.0.1 and news of a changeset for all of PunBB. MicroIDs will be a part of PunBB 1.3 proper. Thanks Rickard!

Well, the month has passed, and it’s live. You will now find a MicroID (computed from the page’s URL and your registered email address) in the head area of your user profile page at Last.fm.

And the verification works flawlessly with claimID. Go try it in your own account.

Thanks to Russ at Last.fm for pushing this through.

p.s. Last.fm does not force you to register an email address, so this will not work until you’ve added one to your account.

p.p.s You’ll have to make sure you have the trailing slash on the URL or the MicroIDs will not match.

Today, a victory in the making – Russ on the forum writes:

I’ve added this to our development branch – it’ll be live in a month.

Russ

This is a big one – let’s keep knocking on doors and see who answers.

But the unintended consequences of all that data being compiled, stored and cross-linked are what Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a privacy rights group in Washington, called “a ticking privacy time bomb.” [NYTimes]

Every search is being remembered and potentially could be aggregated later with unknown consequences. Every email we send works via a store-and-forward technology (your email is a postcard much more than a sealed postal service letter). Every hop along the way (average of 10-15?), the email servers could save your email for later. Subpeanas anyone? To protect the children?

“All of this is dangerous enough. But recent actions of the United States Attorney General and the Director of the Federal Bureau of Investigation last week raise an even larger threat to privacy and security. In the interests of prosecuting child abuse cases, the AG and the FBI Director have asked that the ISP’s retain all of their records just in case someday, somehow, for some reason, the government may want them in some future case.” [Mark Rasch]

It’s not fearmongering, it’s a healthy dose of reality and risk analysis.

So first of all, we’re not anonymous. Second of all, this non-anonymity can be assumed by someone else if the procedures and protections we put into place are poorly thought out.

So I find it interesting today this juxtaposition of an Iraqi child holding a piece of cardboard claiming he’s Rupert Murdoch, owner of MySpace, performing the ‘MySpace salute’. Probably, being the actual Rupert, there is little chance Rupert’s real identity will be compromised by this wonderful image. Those of us who are not Rupert, in name or in financial stature, have a significantly greater risk associated with issues concerning our online identity and attempts to hijack it by others.

We need to become more aware, vigilant, informed, and proactive about our online identities. Our public face is a growing part of our reputation and is beginning to play a significant role in our day to day lives. There are early adopters who have seen this effect for a few years now, but the mainstream media is now catching on and the average citizen will begin to interact with these issues very directly. We all swipe the grocery store member cards to save 10%. Do we know what can be done with data mining and aggregation over time?

ClaimID is using MicroID to allow individual users to claim the pages online about them. This uses cryptographically robust mathematics to confirm that the pages on both ends of the claim are legitimate. It’s proactive, it’s reproducable, and it’s open. It’s not a piece of cardboard. Rupert cannot claim that my weblog is his. Neither can that Iraqi child.

We need more awareness so our policies are better. I’m afraid, however, that it requires us to endure a listing of a few million customers like Thelma before the rest of us wake up.

It’s really easy to do – microid.org

MicroID =
sha1_hex( sha1_hex(“mailto:user@email.com”) + sha1_hex(“http://example.com/username”) )

which generates something like this:

< meta name="microid" content="33bef99225cc32fe3c8c14e05c33e26266370778" />

With MicroIDs generated and positioned in the of these services – third parties can verify that the same person (with the same independently verified email address) is the ‘owner’ of that account. This is big. This is powerful.

Please leave a comment with any activity / updates…

del.icio.us – done!

flickr.com – forum thread

ma.gnolia.com – done!

linkedin.com

last.fm – forum thread – done!

43places.com

43things.com

youtube.com

myspace.com

digg.com

wikipedia.org – MediaWiki extension

blogger.com

livejournal.com

technorati.com

wikitravel.org – done!

plaxo.com – done!

Updates:

Aug15 – added last.fm forum thread

Sept22 – last.fm completed

Oct 20 – del.icio.us noted

Oct 24 – wikitravel.org added – and mediawiki extension linked

Jan, 08 – plaxo.com added (via myplaxo.com)