Trust/threat model for OpenID

Dan Lyke danlyke at
Tue Aug 1 23:25:21 UTC 2006

On Tue, 01 Aug 2006 13:40:37 -0700, Dan Lyke wrote:
> As a potential user I'm much more interested in building a  
> consistent identity between sites than in building a bunch of little  
> Balkanized identities. That's one of the reasons that  
> YADIS/LID/OpenID excite me so much, they're the opportunity for me  
> to have a finite number of online identities.

Oh, I should also add...

I'm currently co-volunteer coordinator for an organized bike ride (The  
Marin Century/Mt Tam Double). This coming weekend we're expecting  
somewhere on the order of 2,200 people to descend on us, and we have  
to make sure that those people have a safe route (six of them,  
actually, from 31 to 200 miles), a large variety of foods, adequate  
water, emergency and support services, a cheerleading section, and,  
for about 250 of them, we need to verify to the California Triple  
Crown organization at what time various individuals passed through  
each of several different checkpoints. This is not an easy task. Even  
the subset which is making sure that each of the stations to serve  
these folks has enough warm bodies isn't an easy task.

The levels to which we're going? Next year we're looking at RFID tags  
in bibs and gates at rest stops to track individual riders (ie: when  
can we close a rest stop? is it likely that someone's off course or  
having problems? even when is the next big group going to hit this  
rest stop so we can cut up fruit and have it fairly fresh?). This  
year, several of our sag vehicles will have transponders that'll  
transmit their position back to a big projected map at headquarters,  
in an area with no cell phone coverage.

To coordinate the hordes of people necessary to put this on I have to  
convince well off residents of one of the richest regions in the  
country that they'd really enjoy spending a day in the hot sun doing  
the sort of counter-service work that their high school kids normally  
get paid $10/hr to do; thus I need to show each person that I contact  
that I care about *them*, that I want them to be a part of our team,  
because this isn't about serving food and doing menial labor, this is  
about building community, meeting cool people, and having *fun* (damn  
it!). I'm looking at our membership roster, I'm going through our  
volunteer list from last year, and I'm tapping three different other  
organizations, each of which has overlapping membership with ours, and  
there are a few others that are taking care of their own organization  
but that have overlapping membership. This is making me *very*  
conscious of issues in identity.

Are James and Jim with a common last name the same person? Bob Smith  
is signed up as a "family" member, is Nancy Smith his wife? George  
Smith their son? Do we contact them three times, or one? The phone  
number we have for the two entries is different, is one a cell phone  
and one a home phone? George and Martha have the same email address,  
is that a transcription error, or do they live together and share an  
email address? If I send them mail, to whom do I address it? In in at  
least one place that's an outdated entry and those people have gotten  
divorced, so mis-addressing them is going to at the very least lose me  
a volunteer.

Dealing with these very real world identity issues has consequences.  
People hate to get emailed or called multiple times, especially when  
they've already volunteered or said "no, I'm out of town". Nothing  
here is life or death, but I'm trying to write Perl scripts to make  
sense of four or five different lists and treat each person as  
politely as they, who are putting in tremendous efforts for our  
various organizations, deserve.

And when I get it wrong people notice, and comment.

Yes, there are potential privacy issues with having a single  
identifier for each of these people, and as a libertarian nerd I'm  
conscious of many of them, but between me and the people I'm  
contacting I think most of them would be absolutely overjoyed at the  
advantages that a single identifier confer.

Email is kind of that identifier for this task, although it isn't  
universal, but even that has shifted some in the year that we have a  
member as active. Phone numbers really have.

Next year what I want to do is build a web page where people can go to  
sign up to help out, and we're going to need to correlate those  
sign-ups with the various spreadsheets and databases and printouts  
that we have now, and we're going to be adding a few other helper  

Most of those people aren't technically savvy enough to understand why  
they would or wouldn't want a single ID, but they sure'll tell me when  
the lack of that ID causes me to call 'em extra times, or email them  
too much, or whatever.

Today I've been re-assigning people, trying to keep track of who's  
working where, shuffling folks around, and this is a real world  
problem that I need to solve, 'cause when someone's put "B Smith" on a  
note on a spreadsheet, I have to know if that's "Bob" or "Barbara". If  
I can get enough penetration with YADIS and OpenID or LID or whatever  
*right now*, a whole bunch of people will be happier.

And *none* of them care that the Leukemia and Lymphoma Society knows  
that they're the same person who signed up with the Marin Cyclists,  
but most of them would be quite happy if they didn't end up with  
double the mailing list load because of their membership in both  
groups, or that contacts from both groups could be more focused and  
more personalized because of that sharing of knowledge.

Which is why I'm so intent on solving the problem ahead of me, and  
letting the other ones work themselves out when they become an issue.


More information about the yadis mailing list