Saturday, March 05, 2011

More on identity

Dave Winer wrote a blog post titled Using DNS as a thin ID system . I encourage you to go read it, but in essence his main gripe is that the current means of identifying a person online are too complicated.
And I agree, but with a caveat: there is clearly a need for a simple identification system, while the need for (and current existence of) more complex ID systems is also there.

Winer postulates that the DNS could be used for the simple ID system. Let's call it SID for short. Here again I have to agree he's on to something, since when we designed the .tel top level domain, that was a primary goal.
However, with .tel we started by the complicated stuff, implementing all the current stuff like OpenID et. al., and also implementing a unique, original encryption system for sharing private information inside the DNS zone itself.
So now in the spirit of bootstrapping and getting something up quickly, here's my implementation of Winer's SID:

http://passw0rd.henri.tel

Here's how it works:

  • Assume you don't know the above URL
  • I go to your site and want to authenticate myself
  • you ask me for my domain name (henri.tel) and password (passw0rd)
  • you look up password.domain
  • if you look up using DNS and it returns NXDOMAIN, then authentication failed
  • if you look up using HTTP and it returns 404, then authentication failed
That's about it.
Oh, one more thing: inside passw0rd.henri.tel there are a number of interesting records of type NAPTR that point to my different web properties. There are also TXT records that define my name and current work. If you're looking it up via HTTP, you'll get that info in the hCard of the resulting page.

All of this, today, is available to any .tel owner, without any need for knowledge of DNS or anything beyond knowing to uncheck the "create a link" box in the below screen:


That's all there is to it.

Now the purists will say that this identification system lacks much more than it provides. I agree. If you want OpenID, my henri.tel domain is an OpenID provider as well.
But here, we're looking for a dead simple way of knowing that the person is the same person who came last week. We don't want more than that, and I think Winer's SID is something worth trying out, especially since it's pretty much universally applicable across all top level domains. (I would only use domains, because they give you good legal control in case someone tries to impersonate you, etc...)