MicroID: Verifiable? Really?
I'm going to cut right to the chase: is MicroID really "decentralized verifiable identity?" After giving a thorough reading to the "press literature" (at microid.org,) I could have honestly said that I didn't believe MicroID did anything at all. Here are some excerpts from MicroID's official website:
Identity verification sans authentication? What?
Due to the mild headache I've sustained every time I read or heard mention of MicroID, I was absolutely repulsed by the idea of reading the specification, which, at first glance appeared to be nothing other than a much more intimidating representation of the "assembly procedure" which involves splicing, hashing, and concatenating several strings. It just seemed so ill-conceived that I was not even sure where to begin dismantling it; like trying to decide how to react during a debate to a complete non-sequitur.
I suppose I might have began here: You cannot have verification without a secret.
The reason I'm writing this now, after having read the specification, is because MicroID is being grossly misrepresented. If you don't believe me, just read the press literature:
Those parenthesis around the word "trusted" are not mine. Why there are parenthesis at all is extremely strange to me, as the trust it describes it not optional.
This is the crux of my distaste for MicroID's advertising. There is no verification at all. You must trust the source of the MicroID annotation in order for the annotation to mean anything at all.
Finally I'd like to point out some key parts of the technical specification:
The conclusion you should walk away from this article with is two-fold: First, MicroID is not verifiable. Second, MicroID does not enable anyone to claim verifiable ownership over content hosted anywhere on the web. It does do one useful thing: it could potentially serve as a simple standard for machines to infer authorship from trusted sources. It would be very cheap and low on resource consumption because it requires no CPU-intensive work that real cryptographic verification would call on, and it would be low on human resources because it's trivial to implement. But since the system is designed with a trust dependency on the service provider (ie. the website,) then if you're targeting humans with a technology for verifying authorship, why not just stamp content with a clear visual indication of who authored it? But obviously, everyone already does that...
MicroID enables anyone to claim verifiable ownership over content hosted anywhere on the web... MicroID is not an authentication or single-sign-on service, just a straightforward method for identifying content ownership...
Identity verification sans authentication? What?
Due to the mild headache I've sustained every time I read or heard mention of MicroID, I was absolutely repulsed by the idea of reading the specification, which, at first glance appeared to be nothing other than a much more intimidating representation of the "assembly procedure" which involves splicing, hashing, and concatenating several strings. It just seemed so ill-conceived that I was not even sure where to begin dismantling it; like trying to decide how to react during a debate to a complete non-sequitur.
I suppose I might have began here: You cannot have verification without a secret.
The reason I'm writing this now, after having read the specification, is because MicroID is being grossly misrepresented. If you don't believe me, just read the press literature:
To verify a user's membership in any (trusted) 3rd party site...
Those parenthesis around the word "trusted" are not mine. Why there are parenthesis at all is extremely strange to me, as the trust it describes it not optional.
This is the crux of my distaste for MicroID's advertising. There is no verification at all. You must trust the source of the MicroID annotation in order for the annotation to mean anything at all.
Finally I'd like to point out some key parts of the technical specification:
By itself, a MicroID has no inherent meaning, since it is simply a string created from two URIs. Any entity can generate a MicroID even if it has not verified the identity of the resources associated with one or both URIs. Furthermore, a MicroID is easily copied by an entity that did not generate it. Finally, a MicroID is not digitally signed by the entity that generated it and therefore cannot be cryptographically associated with the generating entity.
The conclusion you should walk away from this article with is two-fold: First, MicroID is not verifiable. Second, MicroID does not enable anyone to claim verifiable ownership over content hosted anywhere on the web. It does do one useful thing: it could potentially serve as a simple standard for machines to infer authorship from trusted sources. It would be very cheap and low on resource consumption because it requires no CPU-intensive work that real cryptographic verification would call on, and it would be low on human resources because it's trivial to implement. But since the system is designed with a trust dependency on the service provider (ie. the website,) then if you're targeting humans with a technology for verifying authorship, why not just stamp content with a clear visual indication of who authored it? But obviously, everyone already does that...
posted by Donny Viszneki at
5:06 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home