URL relationship permanence
mart at degeneration.co.uk
Fri Jul 1 14:29:27 PDT 2005
Ernst Johannes wrote:
> a) Some people would argue that site B has no business attempting to
> correlate information it has with site A about a particular user.
> (Kim's 4th law of identity see http://www.identityblog.com/stories/
> 2005/05/13/TheLawsOfIdentity.html) And thus, they would argue, the
> inability of site B to tell just by looking at the identifier (the
> user's LID URL) is just fine.
What you've done here is just ignored a major use case for (I assume)
both of our systems because it doesn't fit with your argument.
One of the problems OpenID addresses is that when a user comments on
multiple sites with the same name, there is no way to be sure that the
"Jim" on slashdot is the same "Jim" that posts on Bob's weblog. We
currently have social mechanisms to resolve this to a certain extent,
but there is no assistance from software. OpenID provides some degree of
assurance that the user frank.livejournal.com who is posting on Slashdot
(assuming Slashdot supports OpenID for a moment) is the same
frank.livejournal.com who is posting on my weblog. Not a completely
infallible assersion, certainly, but better than what we had before when
combined with a bit of human intelligence. (How much do I trust these
OpenID consumers? How far apart are the timestamps on these comments?
Were the two comments posted from a similar IP address? Does anyone who
might want to impersonate Frank have access to his computer? etc, etc.)
While I guess it's true that Site B (the software) shouldn't be making
these kinds of assumptions, the human users of both sites should be able
to make these assumptions with a suitable degree of skepticism.
> Right, this is also a reason why I asked earlier about how closely
> OpenID reflects the business cirucmstances of LiveJournal and its new
> parent company. LID's assumption here is that it is best if the owner
> of the identity ("you") gets their own domain name (a .name tld might
> be perfect, and cheap ...), ties their LID URL to their own domain, and
> moves hosting providers with their domain as they like, if for some
> reason, they don't like their hosting provider any more.
This is recommended for OpenID too, for "geeky" users. Most users,
unable or unwilling to do this themselves, can have someone else do it
for them, with the proviso that the provider then has a measure of
control over the future of that identity. This is true with many
services. I hesitate to bring up LiveJournal as an example again since
you always interpret that is OpenID being designed with LiveJournal in
mind, but there's no technical reason why LiveJournal.com could not
cause trouble by posting in the name of an existing user on the site.
However, users must trust that LiveJournal.com won't do this.
The difference here with OpenID is that once you've got a domain name
and a website it's trivial to add the extra little bit of sugar to turn
your domain name into your identity URL. The barrier of entry to the
best practice is lower (in my opinion) than that for LID.
More information about the yadis