Wednesday, November 5, 2008

OpenID "Friend" based Attributes

Something i have been thinking about in line with some recent discussion on the OpenID mailing lists has been techniques to verify someone's identity and the attributes that are associated with it.

My initial thoughts comes up with the following:

Reputation
In this case, the longer you use your OpenID, the more people will come to know it is associated with you. I’d be interested in how we could explicitly extend this concept to support a distributed reputation system where you can attach OpenID Reputation points which are assigned from other sites. These could even be broken down into types of reputation. The longer and more you use it the more reputation points. Even sending an email that isn’t spam etc via Gmail or Windows Live could “increment” your reputation score (like pagerank, but for OpenID).

Friend Verification
Slightly more explicit and extension of the above whereby friends can verify things you write down about yourself so that others can trust them more. John says he works at Google Inc and Brian has verified this etc.

Central Validation
Shibboleth model and probably needed for institutions who perhaps verify things such as “Yes, this is definitely Dr. Livingstone” etc.

More thinking
However, i can't think of a reason why OpenID AX couldn't support attributes from third parties that are signed and stored with the OpenID. This way an institution could be given a users OpenID, make statements about them and return the signed statements/attributes which can then be stored anywhere with that users OpenID profile.

Someone who wants to get those attributes can easily check via the insituions publically available key that thse attributes have not been altered in any way.

Extending this you could have a plethora of OpenID attribute information that is both unverified and strongly verified.

No comments: