eekim.com > EEK Speaks

Tue, May 17, 2005

yet another distributed identity system (yadis)    #

Spotted on the blosxom mailing list: yadis stands for "yet another distributed identity system" and is the brainchild of BradFitzpatrick, lead developer of LiveJournal. It's simple and clever, and at minimum, it's going to force others to state clearly why their more complicated systems are better. Here's my first take.    (IPO)

Not surprisingly, the yadis spec is very similar to the IdentityCommons single sign-on protocol (which will eventually be replaced by a SAML profile), except instead of XRIs and XDI, yadis uses URIs and FOAF. With IdentityCommons, you log in with an i-name, which is a valid XRI. That XRI gets resolved, then points to your identity broker (what folks in the SAML world call an "identity provider"). With yadis, you log in with a URI (likely your blog URI, sans the protocol prefix). The application queries the URI for a FOAF file that contains the URI to your identity provider. The backchannel authentication is almost identical for both systems.    (IPP)

yadis is compelling because it's simple and highly bootstrapped. You need very little additional infrastructure to get it working. IdentityCommons relies on a global XRI infrastructure that is barely in its infancy, and it uses XDI for data sharing, which doesn't even exist as a draft spec yet. (It's far from vaporware, though, as some docs and code do exist.)    (IPQ)

Why the complexity? Is it just that =eekim seems more aesthetically pleasing as a username than www.eekim.com/blog/? Absolutely not.    (IPR)

The yadis doc says:    (IPS)

This is not a trust system. Trust requires identity first.    (IPT)

The i-name infrastructure addresses both the identity problem and the trust problem.    (IPU)

First, i-names are designed to be long-lived, whereas URIs are not. What happens when you get married, you change your name, and you decide to get a new domain name to reflect that? Will the new URI work with all your old accounts, or will you have to change them manually? Or, what do all the folks without a personal web site or blog (and no desire for either) use?    (IPV)

Second, XDI is designed with data contracts in mind. You can attach contracts to any piece of your profile data, and you can have different contracts for every entity with whom you deal. This is the biggest problem with FOAF.    (IPW)

That said, I think yadis is a very important development for two reasons. First, it may be an excellent intermediate step to i-name adoption. In other words, it solves an immediate problem easily, then has a natural evolution path to i-names once (or if) its inadequacies become a problem. Second, it's a great reality check for the techies in the IdentityCommons community. We still don't have clear explanations of i-names or XDI, and the adoption path is still too high. I don't think there are easy answers to these problems, but it's important that we remain focused on these issues.    (IPX)

Finally, there's a very good technical observation in the docs that is worth noting: SAML is not Ajax-friendly.    (IPY)

/collaboration/idcommons | Posted at 2:10am

Schneier on REAL ID    #

BruceSchneier wrote a scathing assessment of REAL ID in the latest issue of his Crypto-Gram newsletter. Regarding European countries with national IDs, Schneier wrote:    (IPI)

(Those who point to European countries with national IDs need to pay attention to this point. European countries have a strong legal framework for data privacy and protection. This is why the American experience will be very different than the European experience, and a much more serious danger to society.)    (IPJ)

Lots of folks pay lip service to the social framework that needs to complement technology in order for a system to work, but few are actually doing anything about it. It's why IdentityCommons is so important, although even that group is more reactive than proactive, focusing initially on technology rather than on social agreements. That's probably just the reality of the life-cycle of progress (says the optimistic Heideggerian in me).    (IPK)

That said, it's no accident that folks in the identity space are starting to take IdentityCommons so seriously these days. There were at least 10 folks from the IdentityCommons community (myself included) actively participating in the various "Identity Gang" gatherings last week.    (IPL)

/collaboration/idcommons | Posted at 1:20am

EEK Speaks

A blog about collaboration, community-building, and the various goings-on at Blue Oxen Associates, with occasional digressions on food and other vital matters.

Archives

May 2009 (3)
April 2009 (2)
March 2009 (3)
February 2009 (4)
December 2008 (1)
October 2008 (2)
August 2008 (1)
June 2008 (2)
April 2008 (1)
March 2008 (2)
February 2008 (10)
November 2007 (14)
October 2007 (4)
September 2007 (3)
August 2007 (7)
July 2007 (2)
June 2007 (7)
May 2007 (10)
April 2007 (14)
March 2007 (17)
February 2007 (12)
January 2007 (9)
December 2006 (3)
November 2006 (11)
October 2006 (23)
September 2006 (20)
August 2006 (22)
July 2006 (5)
June 2006 (19)
May 2006 (8)
April 2006 (5)
March 2006 (12)
February 2006 (10)
January 2006 (6)
November 2005 (14)
October 2005 (14)
September 2005 (10)
August 2005 (21)
July 2005 (2)
May 2005 (10)
April 2005 (7)
March 2005 (3)
February 2005 (7)
January 2005 (8)
December 2004 (5)
November 2004 (11)
October 2004 (7)
September 2004 (1)
August 2004 (9)
July 2004 (16)
June 2004 (1)
May 2004 (3)
April 2004 (8)
March 2004 (8)
February 2004 (12)
January 2004 (8)
December 2003 (12)
November 2003 (12)
October 2003 (3)
August 2003 (15)
July 2003 (20)

Categories

Subscribe

Related Blogs

Blue Oxen Associates
The Watering Hole
Hyperscope

Blog Roll (via Bloglines)
extisp.icio.us

Miscellaneous

GeoURL

Technorati Profile