eekim.com > EEK Speaks

Tue, May 17, 2005

yet another distributed identity system (yadis)    #

Spotted on the blosxom mailing list: yadis stands for "yet another distributed identity system" and is the brainchild of BradFitzpatrick, lead developer of LiveJournal. It's simple and clever, and at minimum, it's going to force others to state clearly why their more complicated systems are better. Here's my first take.    (IPO)

Not surprisingly, the yadis spec is very similar to the IdentityCommons single sign-on protocol (which will eventually be replaced by a SAML profile), except instead of XRIs and XDI, yadis uses URIs and FOAF. With IdentityCommons, you log in with an i-name, which is a valid XRI. That XRI gets resolved, then points to your identity broker (what folks in the SAML world call an "identity provider"). With yadis, you log in with a URI (likely your blog URI, sans the protocol prefix). The application queries the URI for a FOAF file that contains the URI to your identity provider. The backchannel authentication is almost identical for both systems.    (IPP)

yadis is compelling because it's simple and highly bootstrapped. You need very little additional infrastructure to get it working. IdentityCommons relies on a global XRI infrastructure that is barely in its infancy, and it uses XDI for data sharing, which doesn't even exist as a draft spec yet. (It's far from vaporware, though, as some docs and code do exist.)    (IPQ)

Why the complexity? Is it just that =eekim seems more aesthetically pleasing as a username than www.eekim.com/blog/? Absolutely not.    (IPR)

The yadis doc says:    (IPS)

This is not a trust system. Trust requires identity first.    (IPT)

The i-name infrastructure addresses both the identity problem and the trust problem.    (IPU)

First, i-names are designed to be long-lived, whereas URIs are not. What happens when you get married, you change your name, and you decide to get a new domain name to reflect that? Will the new URI work with all your old accounts, or will you have to change them manually? Or, what do all the folks without a personal web site or blog (and no desire for either) use?    (IPV)

Second, XDI is designed with data contracts in mind. You can attach contracts to any piece of your profile data, and you can have different contracts for every entity with whom you deal. This is the biggest problem with FOAF.    (IPW)

That said, I think yadis is a very important development for two reasons. First, it may be an excellent intermediate step to i-name adoption. In other words, it solves an immediate problem easily, then has a natural evolution path to i-names once (or if) its inadequacies become a problem. Second, it's a great reality check for the techies in the IdentityCommons community. We still don't have clear explanations of i-names or XDI, and the adoption path is still too high. I don't think there are easy answers to these problems, but it's important that we remain focused on these issues.    (IPX)

Finally, there's a very good technical observation in the docs that is worth noting: SAML is not Ajax-friendly.    (IPY)

/collaboration/idcommons | Posted at 2:10am

Comments

Comments disabled until future notice. If you'd like to contact me, use my i-name (=eekim).

EEK Speaks

A blog about collaboration, community-building, and the various goings-on at Blue Oxen Associates, with occasional digressions on food and other vital matters.

Archives

May 2005 (1)

Categories

Subscribe

Related Blogs

Blue Oxen Associates
The Watering Hole
Hyperscope

Blog Roll (via Bloglines)
extisp.icio.us

Miscellaneous

GeoURL

Technorati Profile