Comments on: Do you trust your identity provider?

By: dsr

dsr — Thu, 12 Mar 2009 18:56:01 +0000

I think the idea of a cooperative to provide identity services is a good idea. Not to save costs, or to simplify things, but to provide a trustable “mixmaster” behind which stands a group of people who can be relied on not to screw each other over or hand over information to the FBI without a subpoena. Not having information to hand over is useful, too… running services without logs of who queried what.

By: Chad

Chad — Thu, 12 Mar 2009 17:52:07 +0000

I’ve been mildly paranoid over long term application availabilities for a long time, which is why I’ve usually opted to run things myself. My own web pages, blog, email account, OpenID provider, even my own Jabber server, although that one was a ‘heck, why not’ option. In a few cases, I’m wiliing to trust a third party when its interests and mine are very closely aligned; I no longer host off my own box because a hosting company can do a better job, and they’re in the business of uptime and reliable, so I can trust them to want to provide infrastructure. I almost trust Google fully with my calendar, some of my email, and some of my documents, because they’re in the business of providing those services, and there’s a tangible revenue model for them in keeping the services operational.

Identity? That one is a lot harder. If I lose some email, I’ll survive. If my calendar gets shared inadvertently, I won’t likely be hurt. If access to all my various web services gets handed over to a hacker, then I’m mightily pissed.

Might I eventually trust someone else? Maybe. They’d have to work very hard to earn the trust, and they’d have to be easier that doing it myself. To be blunt, OpenID was designed to make it easy to do yourself, so that’s a huge barrier to my adoption of a third party.

Distributed is an interesting idea, because even running it myself I have minor quibbles about losing control. My identity and my reputation, socially speaking, are already distributed or federated across the services I use – I have identity on LJ, but also on twitter, for instance, and depending on who is reading me, it can be a non-overlapping, or partially-overlapping identity. Why not distributed identity authentication as well?

Actually, in theory, I could have that with OpenID. Just because I run my own provider oesn’t mean I couldn’t _also_ use others, but there needs to be some way to connect them together, in a way that would be recognized at the provider level and the service level. I know of one webapp (festevil.brandeislarp.com) that allows an account there to be associated with multiple OpenIDs, but that is only a service-level solution.

By: Justin

Justin — Wed, 11 Mar 2009 18:42:30 +0000

I wouldn’t even necessarily trust a non-profit — the difference between for-profit and non-profit isn’t as great as people think, and non-profits can still do questionable things. There are plenty of non-profits whose decision-making structure is very insular and subject to Great Dumb.

But I agree that something with a co-op structure, that is truly accountable to its members and has a clear charter in such matters, might work decently well…

By: Joshua Kronengold

Joshua Kronengold — Wed, 11 Mar 2009 17:55:06 +0000

I’m a semi-paranoid person in this respect — if I were really to rely on an OpenID, I’d set one up on labcats.org (which I, you know, own) and use that. That said, most people aren’t — do do this right, you’d need a non-profit (or coop) organization set up to handle identities and nothing but identities.