[uf-discuss] MicroID - Identity in a shade of microformat

Kevin Marks kmarks at technorati.com
Mon Mar 27 16:51:31 PST 2006 

On Mar 27, 2006, at 3:40 PM, jer wrote:

> Boy, once Doc gets a hold of something... I was going to send out a 
> little note here asking for some feedback, but it's gone full circle 
> already :)
>
> Anyway, MicroID isn't exactly a microformat all by itself but it can 
> be expressed in conjunction with one.  It's really just an opaque but 
> verifiable owner token, allowing anyone to point at something and say 
> "that's mine" which can be verified by using their email address (or 
> any supported communication identifier).

I'm not sure how useful an email address is as a shared secret. If you 
use a publicly-known one, anyone who knows it can spoof your signature; 
if you use a unique address per service then you need multiple 
microid's.

> The itch I'm scratching is two part, I'm tired of having to put some 
> button or javascript code (or upload a funky named empty file) on my 
> blog/site to verify that I have editorial control over it.  This 
> practice is becoming more and more common, and the technology to do 
> this once and for all isn't brain surgery.

Your long hash reminds me of the original Technorati claiming model, 
which was a hash of the user ID and blog URL, which I deprecated as the 
ID's were too long and cumbersome to send around easily - urls with 
them in tended to get wrapped in email, so people ended up making their 
blog invalid by adding a url with a newline in the middle, and my 
parser had to cope with that.

Hence we went to a 10-character randomly-assigned ID model, as the ID 
is not guessable.

As Chris said on his blog, the bidirectionally-verified rel="me" is a 
sounder way to do this - see http://gmpg.org/xfn/and/

> The second part is to have a MicroID published with a "score" 
> microformat (well really just class='score' unless someone has a 
> better idea) that is wrapped around any comment or content published 
> on a moderated system.  If I get modded up and have a good reputation 
> on that system, why can't there be a solid technical way for me to 
> verify my reputation (or just a bag of all my scores) to anyone that 
> cares?  If these moderated systems publish a simple MicroID with the 
> score output, it makes my reputation portable as much as I want it to 
> be.

As your model is spoofable if I know your email, I'm not sure what this 
gains for you over showing the ID or email directly in the moderated 
system.

More information about the microformats-discuss mailing list