April 8th, 2008
We don’t need URL-centric identity
by Tony Haile | 
10 Comments
OpenID is pitched as an open and decentralized identity system, designed “not to crumble if one company turns evil or goes out of business”. This is great for the system, but still fails the user if their identity across the web is tied to that evil/bankrupt company. The system persists but the user is screwed.
The ‘big wins’ for OpenID thus far have been the decision by Yahoo, AOL and Google (well, Blogger) to become OpenID providers. It could now be assumed that most people online would have some kind of OpenID whether they knew it or not. This was a great step forward for encouraging relying parties and OpenID’s standing in general. However in the rush to embrace a URL-centric identity and tell people to make their Google/Yahoo/AOL URL their OpenID, we seem to be forgetting that it matters what kind of URL we use. It’s not enough that one URL is able to represent and authenticate who I am across the web, that URL should be in my control and portable, so that I am able to change my provider should I find out that they have been collaborating with oppressive regimes or their servers run on the blood of baby seals. We don’t need URL-centric identity, we need domain-centric identity.
With URL-centric identity we are locked to a particular provider, stuck with the unattractive choice of staying with that company no matter what it does (or does not do) or performing the laborious task of going into every site that we have ever associated with that OpenID and making the necessary changes. The system is set up to encourage stasis. With domain-centric identity, I control the URL that represents me. If my current OpenID provider provides poor security, fails to keep up with the pace of innovation or engages in practices I dislike I can change providers simply and easily. My identity is in my hands and the system is set up to encourage innovation and competition for my business.
Some might argue that people don’t care about who their OpenID provider is as long as it’s secure, but recent experience suggests this isn’t true. The SXSW OpenID panel saw a surprising number of questions fielded about the idea that OpenID seems to be moving towards an oligarchic version of Microsoft Passport in which two or three big companies controlled our identities. The less than comforting answer was that two companies is better than one. The potential acquisition of Yahoo makes that answer sound even more alarming.
Kaliya Hamlin recently wrote a post titled ‘What about Flickr?’ discussing the consequences of Microsoft owning Yahoo: ‘now with this hostile take over situation with MSFT it could be owned by THEM. It is really devastating to think that all the energy I and others put into this space would be owned by THEM.’ For Kaliya, the nature of the company that provides the service is as important as the service they provide. How would she feel if she used Yahoo as her OpenID and it was suddenly owned by THEM too?
If OpenID was designed so that no one company owns the identity management system for the web, making a domain your OpenID ensures that no one company owns your identity for the web. The easiest way to make your domain your OpenID at the moment is through delegation, and Simon Willison has written a handy guide on how to make that happen. For those without domains, chi.mp will be providing them for free later on in the year.
Delegation and domain-centric identity means greater competition and innovation between providers not just to attract new entrants to the market but to retain current customers. It means I have sole control over who I am across the web. If the OpenID community really wants to put people in control of their identity online, there should be less talk of signing up with behemoths and more talk of delegation, less talk about Yahoo OpenIDs and more talk about our OpenIDs.
Very well said. I’ve always looked at OpenID providers as less the source of my identity, and more the means of verifying my identity. Of course, I have a decent understanding of how it works, thanks to Simon, and I promptly set up delegation immediately upon discovering that my old LiveJournal account could actually be useful for something again.
One question about chi.mp providing domains, though. This article claims chi.mp will be “providing them for free,” but what does that really mean? Does that just include basic hosting for identity-based services, provided you point a CNAME at chi.mp, or will chi.mp actually eat the registration and ICANN fees? And if that’s the case, who actually owns the domain? How would renewals be handled? Given that the whole idea is identity *ownership*, I think these (and more) questions need answering.
I understand the need to be a bit cryptic with details about chi.mp this early in the game, but such vague claims can often lead people to false conclusions. Now that the can has been opened, could somebody help me wrangle the worms?
Hi Marty!
Good question and apologies if I don’t answer all your questions fully here. We’ll be talking more about this a little further down the line in much more detail but for now I can tell you that:
Chi.mp has an exclusive deal with the .mp ccTLD that allows us to give away domains for free, so luckily we don’t have to worry about ICANN or registration fees. When we say we’re giving you a domain for free, that’s exactly what we mean. Of course, you’ll also be able to deploy Chi.mp on any domains you might already have as well.
Chi.mp is committed to an open interoperable web where the user is in control, as such if you decide you don’t want to use Chi.mp on your domain you’ll be able to say goodbye to us and take that domain elsewhere and use it in the way you like.
Basically our guiding philosophy is that if we can’t make money by facilitating our owners rather than exploiting them, we really shouldn’t be in business at all. We are going to live and breathe that philosophy, and try and do everything we can to make sure that you get to own who you are online.
Thanks for the quick and detailed response. You guys have been great about being very open and transparent about this so far, and I’m glad to see it.
In my mind, I went through about a dozen possible interpretations of the “free domain” thing, and the only logical choices that satisfied your goals as well as the freedom and sovereignty of users were to have a deal with a registrar at the very least. I also toyed with the idea of you guys being your own registrar, but I hadn’t at all considered partnering with a ccTLD. Once things get rolling, it’d be interesting to see a writeup of how that process happened.
Does that mean that all free domains will end in .mp? I don’t expect that’s a deal-breaker, but it’s still worth asking. Since domains really aren’t that expensive these days, it seems reasonable to ask someone to provide their own if they don’t like that stipulation. Besides, a limitation like that would eliminate the mad rush of people wanting to abuse chi.mp as a way to register their supermegaultrastartup.com domains.
Like I said, I didn’t expect full details, and I’m more than happy to ask more later, so I’m glad for what you’ve provided. I hope it will help set others’ minds at ease as well. As you’ve probably noticed, I’m really looking forward to seeing what you guys have in store. I have plenty of other questions that I’m patiently waiting on, to see how things play out.
Also, kudos for the fundamental approach of calling people “owners” instead of “users”. I don’t know if you had to really force yourself to do that, but if it’s natural, all the better. More organizations need to learn to treat people as people, and I’m glad to see it happening.
yep, free domains will end in .mp. I think GoDaddy would be after us with the baseball bats if we tried something more expansive at the moment.
One of the other advantages for people on other domains using chi.mp will be that they will be able to create a great-looking site and host it without having to pay for hosting etc, so even if people don’t want a .mp domain, taking control of their own identity will still be considerably easier and cheaper than before.
Sounds good! I suppose it’s too early to ask what kind of hosting options would be available, though. I see you guys use Rails, but if you’d be open to letting us Django folks on board, I’d much appreciate it.
Also, a few Google searches clarified the connection to the .mp ccTLD, and helped explained how that process happened, but if you could work something out with Niger, I have a domain I’d love to get my hands on. Maybe you get set up mi.ne? It could even be an abbreviation for My Identity? Maybe? Maybe not.
Nice idea on the Niger TLD! The key for us with the .mp TLD is that as a US commonwealth it falls under US law, so we can provide the necessary layer of legal protection and reliability that a country like Niger (wonderful country that I am sure it is) is less noted for.
Personally though I’m still waiting for a .le TLD to come out so that I can go for the vanity domain of tonyhai.le. The new gTLDs will be unveiled in the next year or thereabouts, so I might not have to wait too long!
Tony,
There’s no difference between url- and domain-centric identity. They’re the same thing. And there’s no difference between managing your OpenID authentication via Yawhoever or via Chi.mp.
With the rise of the web, http has become the most flexible, most open protocol for managing data services. As long as that’s true, we’ll be stuck with url- or domain-centric id applications. Remember, it’s not your id that exists at that url, but the authentication service you want to use.
The ease of changing authentication services shows the power of OpenID. Currently, my Basecamp accounts all use a free OpenID services from claimid.com. If I wanted to no longer use ClaimID, I can update my Basecamp account to point to Yahoo. Or Google. Or LiveJournal. Or my own blog.
Hi Austin, Thanks for commenting, I love a good debate!
I disagree, if my OpenID is a url it dictates the authentication service I want to use. If my OpenID is a domain I can dictate the authentication service I use and change it as and when I want simply and easily.
You are absolutely right that there is no difference in authenticating via Yahoo or authenticating via Chi.mp; the difference is not between providers but between non-portable urls and portable urls. With a delegated domain I can choose which service I wish and change it at my leisure. If Vidoop’s security system appeals to me more than JanRain’s (both of whom I highly recommend) I can change providers in two minutes. However, I cannot get joebloggs.myopenid.com to point at Vidoop. I have to create an account all over again, which is the very problem OpenID is meant to prevent.
You point to the ease of changing authentication services by just updating your basecamp account, but this is a solution that works while only a small number of sites use OpenID. What happens when I have a hundred or more different sites using OpenID? I have to go into every single site and repoint it? As I said in my post, that kind of laborious barrier to switching promotes stasis.
And what if OpenID becomes my primary authentication point for accessing sites and my OpenID provider for some reason shuts down? With a domain, the pain for me is limited. I merely change where my delegation points to. One simple action and I’m ready to move on. With a url, I face a world of hurt. Once again I have to repoint everything but also I face a real risk of not being able to access my accounts where I have solely registered using my OpenID. How do I get into Magnolia if my OpenID url no longer links to anything?
Your thoughts?
“How do I get into Magnolia if my OpenID url no longer links to anything?”
I would think the far more serious worry is what happens if your OpenID provider is “evil” in some way - that is, it’s still up but it’s selling your details or something without your knowledge. If it simply goes off line, then it would fairly simple for its users to be bulk migrated to another provider, and Magnolia et. al. would simply map trust from the old provider’s domain to the new one. At least, I would assume that if a provider went off line the owners would be amenable to this, and Magnolia et. al. would not want to lose a bunch of users.
[...] myOpenID for Domains. The new service makes it even easier for you to make your domain your OpenID. As I’ve said before, using domains as OpenID URLs is essential for personal ownership of identity online. Congrats [...]