URL relationship permanence

Martin Atkins mart at degeneration.co.uk
Fri Jul 1 02:23:16 PDT 2005 

Ernst Johannes wrote:
> Let me disagree with both of you guys .... you'd be right if gpg  wasn't 
> in the picture, but it is. So I think LID addresses this case,  as 
> Xageroth initially claimed.
> 
> The LID identity is backed up by a public gpg key, which is "your"  
> public key. Presumably, when you lose your domain/URL, you don't also  
> hand over your private key. (if you do, you are in bigger trouble  than 
> we are dealing with here anyway ...).
> 
> So if a relying party receives a LID-approved request (such as a  
> single-sign-on request, or an authenticated message, or an  
> authenticated query, or whatever LID profile ...), the relying party  
> will authenticate that request against the public key exported by the  
> corresponding LID. If that public key is different than it was last  
> time, it indicates "we can make no assertion whether the 'old' and  the 
> 'new' LID have anything to do with each other" (although they  look 
> identical) exactly because of the scenario you are describing.
> 
> Makes sense?
> 

That mechanism notwithstanding, there still exists a problem of Bob 
signing into site A, then Bob losing his domain and Tim grabbing it and 
posing as Bob on site B. As long as Tim never tries to log in to site A 
no-one can prove that he is not the same person. Site B never had a 
record of Bob's public key in the first place.

Identifiers being transferred to other people is a general problem 
regardless of what you use for identifiers. LiveJournal has this problem 
within its own namespace: LiveJournal users can become 
previously-deleted accounts, and suddenly all of the old links go to a 
new journal. Little can be done about it because the username is the 
only means of identification for that person.

Unless you have some mechanism to transfer ownership in a 
machine-readable way or somehow ensure that an identifier can't be 
reused (unlikely) you're going to have to deal with this ambiguity 
eventually regardless of how much fancy crypto stuff you've got going on.

It's the user's responsibility to choose an identity provider (which 
might be himself) which he believes will be under his control forever. 
LiveJournal users are trusting LiveJournal with this role, and in the 
present situation unless they explicitly delete an account users are in 
control of their identities. Of course, they must trust LiveJournal not 
to take their identities out from underneath them either by suspending 
their account or just going out of business altogether.

More information about the yadis mailing list