URL relationship permanence
mart at degeneration.co.uk
Fri Jul 1 02:23:16 PDT 2005
Ernst Johannes wrote:
> Let me disagree with both of you guys .... you'd be right if gpg wasn't
> in the picture, but it is. So I think LID addresses this case, as
> Xageroth initially claimed.
> The LID identity is backed up by a public gpg key, which is "your"
> public key. Presumably, when you lose your domain/URL, you don't also
> hand over your private key. (if you do, you are in bigger trouble than
> we are dealing with here anyway ...).
> So if a relying party receives a LID-approved request (such as a
> single-sign-on request, or an authenticated message, or an
> authenticated query, or whatever LID profile ...), the relying party
> will authenticate that request against the public key exported by the
> corresponding LID. If that public key is different than it was last
> time, it indicates "we can make no assertion whether the 'old' and the
> 'new' LID have anything to do with each other" (although they look
> identical) exactly because of the scenario you are describing.
> Makes sense?
That mechanism notwithstanding, there still exists a problem of Bob
signing into site A, then Bob losing his domain and Tim grabbing it and
posing as Bob on site B. As long as Tim never tries to log in to site A
no-one can prove that he is not the same person. Site B never had a
record of Bob's public key in the first place.
Identifiers being transferred to other people is a general problem
regardless of what you use for identifiers. LiveJournal has this problem
within its own namespace: LiveJournal users can become
previously-deleted accounts, and suddenly all of the old links go to a
new journal. Little can be done about it because the username is the
only means of identification for that person.
Unless you have some mechanism to transfer ownership in a
machine-readable way or somehow ensure that an identifier can't be
reused (unlikely) you're going to have to deal with this ambiguity
eventually regardless of how much fancy crypto stuff you've got going on.
It's the user's responsibility to choose an identity provider (which
might be himself) which he believes will be under his control forever.
LiveJournal users are trusting LiveJournal with this role, and in the
present situation unless they explicitly delete an account users are in
control of their identities. Of course, they must trust LiveJournal not
to take their identities out from underneath them either by suspending
their account or just going out of business altogether.
More information about the yadis