MicroID
   HOME

TheInfoList



Click Here for Items Related To - MicroID
OR:
MicroID on:   [Wikipedia]   [Google]   [Amazon]

MicroID is a decentralized identity
protocol Protocol may refer to: Sociology and politics * Protocol (politics) Protocol originally (in Late Middle English, c. 15th century) meant the minutes or logbook taken at a meeting, upon which an agreement was based. The term now commonly refers to ...
. It was originally developed in 2005 by
Jeremie Miller Jeremie Miller (born ) is an Americans, American Computer programmer, software developer and Entrepreneurship, entrepreneur best known for his role in the development of Jabber.org, Jabber and the release of jabberd, an early implementation of a ...
br>
A MicroID is a simple identifier comprising a hashed communication/identity Uniform Resource Identifier, URI (e.g.
email Electronic mail (usually shortened to email; alternatively hyphenated e-mail) is a method of transmitting and receiving Digital media, digital messages using electronics, electronic devices over a computer network. It was conceived in the ...
,
OpenID OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provi ...
, and/or
Yadis OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider ...
) and claimed
URL A uniform resource locator (URL), colloquially known as an address on the Web, is a reference to a resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identi ...
. Together, the two elements create a hash that can be claimed by third-party services. Ben Laurie demonstrated privacy problems with it in 2006 , as did Chris Erway in a Brown CS Technical Report in 2008


MicroID exchange

Here is an example of a MicroID
hash Hash, hashes, hash mark, or hashing may refer to: Substances * Hash (food), a coarse mixture of ingredients, often based on minced meat * Hash (stew), a pork and onion-based gravy found in South Carolina * Hash, a nickname for hashish, a canna ...
, in
pseudocode In computer science, pseudocode is a description of the steps in an algorithm using a mix of conventions of programming languages (like assignment operator, conditional operator, loop) with informal, usually self-explanatory, notation of actio ...
: MicroID =
sha1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160- bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United State ...
( sha1("mailto:user@example.com") + sha1("http://example.net/") ); The computed MicroID would then be placed on a web page to be claimed. A verifier, which would independently generate the MicroID, would then visit the page to see if the generated MicroID is the same as the MicroID on the page. If they are the same, a claim exists. MicroID is based on a communication Uniform Resource Identifier, URI. Since both the MicroID provider and verifier can verify the communication URI, a proper MicroID implementation allows for trusted identity claims.


Security limitations

A MicroID is essentially a content URI signed with an email address or other attribution. Since the content URI is known for comparison purposes, a MicroID claim can be forged by anybody who knows the communication URI (e.g. email address) associated with the identity. In particular, since a verifier must generate the MicroID in order to compare it, it follows that any party who is trusted to verify a user's MicroID must also be trusted to generate new authorship claims with it. So if you can verify - you can forge. Or in other words anyone (e.g. Alice) who can verify someone (e.g. Bob) their MicroID on a resource 'X' can also generate (spoof) a MicroID on any other document (e.g. Alice can generate a valid MicroID for a document Y, not equal to X, in Bob's name). Assuming the identity is not known (e.g. 1) the publisher has chosen to remain anonymous and 2) denies others the ability to verify the MicroID claim until a time in the future when the use reveals their identity) then someone with email addresses can perform a trivial dictionary attack to find ownership of resources

someone with a URI can perform a trivial dictionary attack to find an email addres

So the (only) remaining usecase is where an entity generates a strong
cryptographic nonce In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that each communication session is unique, ...
(e.g. a UUID); uses this to publish documents over time—and at some time in the future reveals the UUID as to prove that the use wrote those documents (and accepts that from that point forward anyone can make any claims on his or her behalf).


Privacy limitations

As explained above, a MicroID is a hash made from a public URI and a semi public email. Those who know both can verify the identity claim on a page. The hashing helps to hide the semi public email address to people that should not know it, in particular spammers. However, research on popular social websites such as Last.fm, Digg and ClaimID show that a
brute-force attack In cryptography, a brute-force attack or exhaustive key search is a cryptanalytic attack that consists of an attacker submitting many possible keys or passwords with the hope of eventually guessing correctly. This strategy can theoretically be ...
can decrypt the email address in 20–25% of the cases. The brute force attack guesses email addresses derived from the public user name and other information available on the social websites, and thus only checks a dozen or so candidate addresses per MicroID. Despite this, the study showed a simple attack like this one could still be successful one quarter of the time while spending a fraction of a second to check all candidates for each user. The hashing scheme thus does not guarantee the privacy of the email address.


Architecture of a MicroID claim

An example of a successful MicroID claim is as follows: # A user signs up for a web service. That web service verifies the user's email, and creates public web pages for the user that contain a MicroID. That MicroID comprises the hashed email (communication URI) and the URL of the webpage. # The user then signs up for a verifier service. The service also verifies the user's email. # The user inputs the URL of the page she wishes to claim into the verifier service. The verifier service computes the MicroID and attempts to verify the MicroID in the claimed page. # If the MicroID in claimed page is the same as the one in the verifier service, a claim exists. The verifier will then claim ownership of the page.


MicroID and the DOM

MicroID allows for the claiming of
semantic HTML Semantic HTML is the use of HTML markup to reinforce the semantics, or meaning, of the information in web pages and web applications rather than merely to define its presentation or look. Semantic HTML is processed by traditional web browsers as ...
elements. For example, a MicroID inserted in a block-level element will constitute an ownership claim of anything in the element. A MicroID inserted in the header of a page will constitute an ownership claim of the page. Claims are only verifiable at the granularity of URIs.


Known MicroID providers

The following web services provide MicroIDs to their users: * ClaimID *
Filmweb Filmweb is an online database of information related to films, television series, actors and film crew personnel. Since 2011, the database also contains video games. Filmweb was launched on March 18, 1998. It is a Polish-language site, and the la ...
*
Identi.ca identi.ca is a free and open-source social networking and blogging service based on the pump.io software, using the Activity Streams protocol. Identi.ca stopped accepting new registrations in 2013, but continues to operate alongside several o ...
*
Ma.gnolia Gnolia, named Ma.gnolia until 2009, was a social bookmarking web site with an emphasis on design, social features, and open standards. In January 2009, Gnolia lost members' bookmarks in a widely reported data loss incident. It relaunched as a sma ...
* Chi.mp


Known MicroID verifiers

The following web services verify MicroID claims: * ClaimID *
Wink A wink is a facial expression made by briefly closing one eye. A wink is an informal mode of non-verbal communication usually signaling shared hidden knowledge or intent. However, it is ambiguous by itself and highly dependent upon additional c ...


External links

* http://microid.org - MicroID homepage * http://microid.org/blog - MicroID blog * http://lists.ibiblio.org/mailman/listinfo/microid - MicroID mailing list * http://microid.org/code/ - MicroID Open source code


References

{{DEFAULTSORT:Microid Computer access control