URL relationship permanence

Martin Atkins mart at degeneration.co.uk
Fri Jul 1 14:29:27 PDT 2005 

Ernst Johannes wrote:
> a) Some people would argue that site B has no business attempting to  
> correlate information it has with site A about a particular user.  
> (Kim's 4th law of identity see http://www.identityblog.com/stories/ 
> 2005/05/13/TheLawsOfIdentity.html) And thus, they would argue, the  
> inability of site B to tell just by looking at the identifier (the  
> user's LID URL) is just fine.

What you've done here is just ignored a major use case for (I assume) 
both of our systems because it doesn't fit with your argument.

One of the problems OpenID addresses is that when a user comments on 
multiple sites with the same name, there is no way to be sure that the 
"Jim" on slashdot is the same "Jim" that posts on Bob's weblog. We 
currently have social mechanisms to resolve this to a certain extent, 
but there is no assistance from software. OpenID provides some degree of 
assurance that the user frank.livejournal.com who is posting on Slashdot 
(assuming Slashdot supports OpenID for a moment) is the same 
frank.livejournal.com who is posting on my weblog. Not a completely 
infallible assersion, certainly, but better than what we had before when 
combined with a bit of human intelligence. (How much do I trust these 
OpenID consumers? How far apart are the timestamps on these comments? 
Were the two comments posted from a similar IP address? Does anyone who 
might want to impersonate Frank have access to his computer? etc, etc.)

While I guess it's true that Site B (the software) shouldn't be making 
these kinds of assumptions, the human users of both sites should be able 
to make these assumptions with a suitable degree of skepticism.

> 
> Right, this is also a reason why I asked earlier about how closely  
> OpenID reflects the business cirucmstances of LiveJournal and its new  
> parent company. LID's assumption here is that it is best if the owner  
> of the identity ("you") gets their own domain name (a .name tld might  
> be perfect, and cheap ...), ties their LID URL to their own domain,  and 
> moves hosting providers with their domain as they like, if for  some 
> reason, they don't like their hosting provider any more.
> 

This is recommended for OpenID too, for "geeky" users. Most users, 
unable or unwilling to do this themselves, can have someone else do it 
for them, with the proviso that the provider then has a measure of 
control over the future of that identity. This is true with many 
services. I hesitate to bring up LiveJournal as an example again since 
you always interpret that is OpenID being designed with LiveJournal in 
mind, but there's no technical reason why LiveJournal.com could not 
cause trouble by posting in the name of an existing user on the site. 
However, users must trust that LiveJournal.com won't do this.

The difference here with OpenID is that once you've got a domain name 
and a website it's trivial to add the extra little bit of sugar to turn 
your domain name into your identity URL. The barrier of entry to the 
best practice is lower (in my opinion) than that for LID.

More information about the yadis mailing list