Tuesday, July 22, 2008

How I have taken control of my own identity, part 2

In my last post, I discussed how I made http://blog.nerdbank.net my one OpenID URL that allows me to link my several accounts with various OpenID Providers into a single URL that I may use anywhere.  In this post, I'll talk about some of the problems that remain with the system, and how XRI i-names can solve them.

Why use an XRI/i-name?

I purchased =Arnott from 1id.com, one of the many XRI accredited brokers.  It costs me $7/year I think, which is slightly less than a domain name from most resellers.  Along with that i-name I got an associated CanonicalID (=!9B72.7DD1.50A9.5CCD) which is mine forever. Even if I cancel with 1id.com, my CanonicalID will never be re-assigned to anyone else.

I can even change my i-name from =Arnott to =SomebodyElse and transfer my CanonicalID to that new i-name, and all my identity transfers automatically.  OpenID 2.0 includes support for XRI i-names, and requires that web sites that allow people to log in with "=Arnott" actually store this canonical ID as the primary key instead of the "=Arnott" string.  Not only does this allow me to change my i-name periodically, but it guarantees that if someone else later buys "=Arnott", they cannot log in as me anywhere. 

Contrast this identity security against the standard OpenID URL like http://blog.nerdbank.net.  If I stop paying for the nerdbank.net domain name, someone else can buy it, put up an OpenID endpoint at the same URL that I used to, and then log into countless web sites and impersonate me.  Clearly, XRIs with their non-reassignable canonical IDs are superior.

While most OpenID-supporting web sites support URLs, only a small handful seem to support XRIs.  That isn't too bad though, since any XRI can be written out as a URL like this: https://xri.net/=Arnott.  Now, to a relying party web site, that's just a URL and will very likely work if the site has support for XRDS documents. 

But using the URL form of an XRI is not equivalent to using the =Arnott XRI.  That is, when the URL form is used the primary key on the web site is teh URL rather than my XRI's Canonical ID.  I cannot use =Arnott interchangeably with https://xri.net/=Arnott on the same web site and expect to be treated as the same person.

And who knows?  Maybe I'll grow tired of the URL I use for my blog.  An XRI is just the better way to go if you're trying to consolidate your identity online.

Setting up your i-name

As I said earlier, I happen to host my i-name with 1id.com.  I do not like 1id.com's user interface though and it doesn't provide many of the authentication options that myopenid.com does.  But myopenid.com doesn't offer XRI hosting.  No problem.  XRDS documents can bring in the best of both worlds. 

I took the same XRDS document I wrote and linked to from my blog and programmed it into 1id.com's XRDS management interface (which because 1id doesn't give direct access to the XRDS doc except through a web interface of push buttons and text fields was not as easy as it should have been).  I removed the services that 1id.com offered my XRI by default or gave them a very high priority number (which means low priority because these things are sorted ascending).  I could test my changes by visiting https://xri.net/=Arnott?_xrd_r=application/xrds%2Bxml;sep=false to see the full XRDS doc as I was building it up to compare it with the one I had previously hosted on my blog.

With my customized XRDS doc set up, my =Arnott XRI, hosted by 1id.com, when used to log into an OpenID relying party I am redirected to myopenid.com instead of 1id.com for authentication.  But my Canonical ID is still the primary key with that web site.  That means I have the best of everything: I'm using a primary key that is universally mine forever, and I can choose whatever authentication Provider I want from time to time without disrupting my identity on any web site.  Sweet. 

What about my old blog OpenID url?

Well for those web sites that don't yet support XRI's, I can use either the URL form of my XRI I mentioned earlier, or I can continue using my blog URL.  I chose to use my blog URL for non-XRI supporting web sites.  But to avoid having to maintain two XRDS documents (one at 1id.com and one hosted on my blog), I changed my blog's HEAD tags to point directly at the XRDS document hosted for my =Arnott identity!

<meta http-equiv='X-XRDS-Location' content='https://xri.net/=Arnott?_xrd_r=application/xrds%2Bxml;sep=false' />

Then I realized that instead of using =Arnott, which is really only a convenient short-hand for my XRI CanonicalID, I'd go ahead and use the canonical ID here, so that if I ever drop =Arnott in favor of some other i-name, so long as I transfer my CanonicalID to the new alias the link will still work.  So I changed it to this:

<meta http-equiv='X-XRDS-Location' content='https://xri.net/=!9B72.7DD1.50A9.5CCD?_xrd_r=application/xrds%2Bxml;sep=false' />

Summary

And that wraps up my identity.  I would encourage you to pick up an i-name for yourself, customize the XRDS, and take control of your identity.  Although I picked 1id.com, you should hop over and check out freexri.com, which as its name implies, gives out free 'community' i-names.  I don't use freexri.com to save myself $7/year (yet) because they don't seem to issue me a Canonical ID along with my i-name which makes it useless in my opinion.  [7/23/08 Update] I found out that i-names freexri.com generated over six months ago don't have them, but new ones do, so check out his service!  Their interface is more friendly and powerful at the same time.  So hopefully we'll be able to get Canonical IDs there soon (if they don't already).

Hopefully someday soon this will be all so natural and easy that people will do it just as comfortably as they Set Up their Internet Connection when they get a new PC.

Editorial note:

At the time of this writing, 1id.com has a bug in their XRDS implementation that I just found out about today, where instead of <openid:Delegate> tags in my XRDS services, it emits <openid:delegate>, which breaks all OpenID 1.x relying parties.  Dang.  I've written to 1id.com and so has John Bradley (=jbradley) so I hope they fix this soon.

[Update 7/23/08] 1id.com fixed it within hours of my reporting it.  But existing 1id.com customers will have to go into their XRDS management page and re-save all their i-services in order for the change to affect them.

2 comments:

  1. Greate article Andrew!
    A little questions about your excellent library dotnetopenid. It returns for I-Names, for mine for example, follow =!F03.B700.8A22.C1E8, but others implementation of OpenID, from python for example, returns xri://=!F03.B700.8A22.C1E8. Is any standard of presentation XRI in OpenID? Second option is better IMHO, it's valid URI.

    ReplyDelete
  2. Hi Derigel,

    First of all thanks for the feedback on DotNetOpenId. You bring up an interesting suggestion about the xri:// prefix that I will have to investigate more fully. But my understanding of the URI spec means that xri:// stuck in front of an XRI does not necessarily make it a valid URI -- but I'm not certain. So putting the xri:// prefix just might be misleading. But I'll look more into this.

    ReplyDelete