FAQ
One of the most fascinating experiences resulting from publishing MicroID has been the way that people try to understand it. It’s clear that I didn’t explain how I expect it to be used well enough, so this post is the start of a living FAQ I’ll be building through this blog and based on the comments posted (so post any new questions please!):
Q: Anyone can make a MicroID for me if they know my email address, how does that prove anything?
A: Yes! A MicroID doesn’t prevent spoofing, it simply enables ownership verification. I know that doesn’t make sense, but think about it with a real world example, pet tags. You put your phone number on your pet’s collar (or microchip implant these days) to identify that pet as yours. Sure, anyone can label their pet as yours, but what do you care? With the microchip example it’s even more clear, when you go to the vet they can check your ID and match it with the implant owner data, they validate that you own that pet. MicroID allows a service to validate that the content you link to on some other site, is actually yours if you claim it to be.
Q: How’s this any different than doing something like this?
<meta name=”contact” content=”mailto:” />
A: It’s functionally identical, publishing your email address allows the exact same level of ownership demonstration. Compare to the MicroID example:
<meta name=”microid” content=”9d6d3552e3304340849837313b0e34833e4c599b”/>
The only difference is the MicroID doesn’t expose the address, and you only have to reveal the address privately to those that you want to show ownership to. That’s enough reason alone to be useful.
Q: What identifiers can be used instead of email?
A: The only requirement is that the identifier you use as the source is
verifiable; email address, IM handle, phone number, even a PKI token, anything that
enables one to validate it. It’s only as strong as your ability to
verify that identifier is, which with email-confirmations is (un)
fortunately a very common practice and acceptable level of confidence for most systems.
Q: So my home page can now be verified as mine by just checking my email address, so what?
A: My perspective comes from online reputations, particularly
the reputation silos that are all of the various comment and content
moderation systems out there. Individuals put a lot of work into
building a reputation on all of these web communities, and that
effort isn’t portable today. By using MicroID and exposing a contact-
able identifier along with any of your posted content/comments on any of those systems you
can demonstrate/validate ownership of that reputation. MicroID is just an
alternative that provides this basic utility without forcing the
identifier into the public.
April 4th, 2006 at 5:13 pm
This isn’t really “Identity” so much as it is an “Identifier”. Identity asserts that it somehow verifies someone as the person they say they are (as in authentication)…which MicroID certainly is not. An identifier is essentially a tag that identifies a piece of content as belonging to, or somehow attached to an entity.
This simple clarification should help you “sell” the wonderfully simple idea of MicroID. This sort of distinction helps to make things more clear to the incument and new user alike and also insures that this format is not misused as some sort of strong authentication.
April 4th, 2006 at 10:27 pm
Excellent point Aaron, thanks! I’ll try to clarify this and make a point of calling it an Identifier system, as it is.
April 6th, 2006 at 6:13 pm
MicroID is interesting, the simplicity is very appealing. I am working on a similar portable reputation system for commenters and blog authors called sxore, it has a few more moving parts but is pretty simple for people to get started with (currently we only support WordPress blogs). It uses the SXIP protocol to allow users to take their reputation with them from one sxip enabled site to another. I invite you to check it out and tell me how you think it compares to MicroID.
May 26th, 2006 at 1:26 pm
Came across this site via claimid.org. Cool idea.
What about adding a standardized, resp. recommended xml-element for RSS and atom, so that one can add eg. the microid for commentors in a comment-rss-feed for easier aggregation.
I’d like to add the microid for each comment made (if there’s an email and webpage, of course) on my blog, but no idea where to put it in RSS.
June 15th, 2006 at 9:52 am
It does, in fact, prevent spoofing to a certain extent if the service that needs to verify follows the spec. They must KNOW that the email address (etc etc) is yours before checking for the microid. Thus the only way to spoof a service is to have someone not you be able to verify your email address (a good trick) or have you do it for them. Anyone can put the microid on their page, but no bot will be looking for it unless it already KNOWS the email address (etc etc) is yours.
One question is — for non-email IDs, what are the rules? You must hash mailto: with http://the.url (no trailing slash). That is stated in the spec. If I prove who I am using OpenID I would assume you would hash http://my.opeid.url/as-returned-by-server (thus trailing slash depends on OpenID rules and not microID rules) with http://the.url (no trailing slash). You list other possible first-item options above (including phone number!)… but what would the formatting rules be for those so that both the service and the publisher are sure to generate the same hashcode (and thus have a match)?
July 7th, 2006 at 4:02 pm
[...] However, I do disagree with Jeremie’s claim that this could help reduce blatant spoofing (Jeremie even mentions this himself in an FAQ). Nothing prevents me from entering someone else’s email address and URL into a comment box. When they compare microIDs, of course they will match. This simply verifies a valid email/url couplet, but does not verify that the person making the comment actually owns either of those items. Put simply, microID does not do authentication (which the webpage mentions). Use openID for that! [...]