Slashdot Mirror

Having signed up long ago with xns.org I was given a freebie i-name this time around.

How's a 2 letter nickname for an i-name sound? If this ever catches on for web single sign on that will save some typing no doubt!

Everyone here's bashing it but I think there's a ton of potential. Good design if you take a look at some of the documentation on http://xns.org/ http://xdi.org/ I wouldn't mind running my own agent to reply to requests.

First Read:
http://xns.org/i-names-explained.html
http://xns.org/xri-and-xdi-explained.html
http://www.xdi.org/

The premise is that you pay for a pseudo-permanent identity in cyberspace.

What else have you got? If you don't have your own domain somewhere, that can often times be taken down by your ISP "just because", what else do you have? Your email address. That's pseudo-permanant, right. Is it 50 years permanant? Maybe.

So you tell everyone your email address for a pseudo-permanant identity - great! .... wait. You've got spam! What if you have to change it?

Will that email address cost you more than $25 over 50 years? 9 times out of 10 people will spend significantly more than that to maintain an email address with any kind of permanancy. And they'll get spammed all the while because the identifier is directly tied to the delivery method. You can't tell someone who you are without giving them a direct line.

XNS is a global public database that people can go to if they want to find you, just like DNS resolves mabu.com into the IP address your server is at. Not a global public database that contains all the juicy bits, just who's got the goods. Can you imagine being tied to the same IP address for the life of your domain name???? We all want to be able to move but nobody wants the trouble of keeping every single contact you've ever had informed of your new location.

This system makes it like this: If you want to find me ask my broker. He'll get in touch with me and make sure I still want to talk with you, then either I'll tell him "sure - let him know where I'm at." OR "Thanks for trying to get in touch with me. I'll call you."

You can give your broker a whitelist. All these people (your brother, parents, some old school friends) - tell them whatever they want to know. An offwhite list (you can keep a list of individuals, any from *@alumni.school.edu, how "connected" they are or based on reputation) - feel free to give these people my email but I don't want them knowing where I live. A blacklist tells your broker never to give out any information to (=these, =people, =and.weird, =relatives, =and.old, =girlfirends) And on and on.

The global part points anybody in the world to the place where the goods are at, just like how the root DNS servers point to the "authoritative" DNS box you run on your own net. You can change things there and when people come looking you feed them whatever you want - YOU STAY IN CONTROL.

The whole broker thing... You choose a broker you can trust. Right now there is only one, 2idi.com. Not to say you couldn't start up your own. Granted you'd have to get people to trust you if you didn't want your service to fall flat on it's face, but you could do it. Maybe run one for your family or business. Thawte could do it. CACert could do it. Your bank could be your broker. Whoever you trust to handle your personal information, THEY would be your broker.

Sending $25 and your credit card and your email address to 2idi.com is not a requirement to use XNS. At this point they're the only game in town so if you want a particular =i.name, it's pretty much a race. They stick for 50 years.

More (from 2idi.com)...
Basic Terms of Use for your I-Name

* Once registered, you can use your community personal i-name as long as you adhere to this agreement and any applicable laws.
* You can keep your i-name for as long as your community maintains a relationship with an i-broker. You can also add other community or global i-names to your account that can act as synonyms for your community i-name.
* The community i-name registry is public. It does NOT contain any of y

First Read:
http://xns.org/i-names-explained.html
http://xns.org/xri-and-xdi-explained.html
http://www.xdi.org/

The premise is that you pay for a pseudo-permanent identity in cyberspace.

What else have you got? If you don't have your own domain somewhere, that can often times be taken down by your ISP "just because", what else do you have? Your email address. That's pseudo-permanant, right. Is it 50 years permanant? Maybe.

So you tell everyone your email address for a pseudo-permanant identity - great! .... wait. You've got spam! What if you have to change it?

Will that email address cost you more than $25 over 50 years? 9 times out of 10 people will spend significantly more than that to maintain an email address with any kind of permanancy. And they'll get spammed all the while because the identifier is directly tied to the delivery method. You can't tell someone who you are without giving them a direct line.

XNS is a global public database that people can go to if they want to find you, just like DNS resolves mabu.com into the IP address your server is at. Not a global public database that contains all the juicy bits, just who's got the goods. Can you imagine being tied to the same IP address for the life of your domain name???? We all want to be able to move but nobody wants the trouble of keeping every single contact you've ever had informed of your new location.

This system makes it like this: If you want to find me ask my broker. He'll get in touch with me and make sure I still want to talk with you, then either I'll tell him "sure - let him know where I'm at." OR "Thanks for trying to get in touch with me. I'll call you."

You can give your broker a whitelist. All these people (your brother, parents, some old school friends) - tell them whatever they want to know. An offwhite list (you can keep a list of individuals, any from *@alumni.school.edu, how "connected" they are or based on reputation) - feel free to give these people my email but I don't want them knowing where I live. A blacklist tells your broker never to give out any information to (=these, =people, =and.weird, =relatives, =and.old, =girlfirends) And on and on.

The global part points anybody in the world to the place where the goods are at, just like how the root DNS servers point to the "authoritative" DNS box you run on your own net. You can change things there and when people come looking you feed them whatever you want - YOU STAY IN CONTROL.

The whole broker thing... You choose a broker you can trust. Right now there is only one, 2idi.com. Not to say you couldn't start up your own. Granted you'd have to get people to trust you if you didn't want your service to fall flat on it's face, but you could do it. Maybe run one for your family or business. Thawte could do it. CACert could do it. Your bank could be your broker. Whoever you trust to handle your personal information, THEY would be your broker.

Sending $25 and your credit card and your email address to 2idi.com is not a requirement to use XNS. At this point they're the only game in town so if you want a particular =i.name, it's pretty much a race. They stick for 50 years.

More (from 2idi.com)...
Basic Terms of Use for your I-Name

* Once registered, you can use your community personal i-name as long as you adhere to this agreement and any applicable laws.
* You can keep your i-name for as long as your community maintains a relationship with an i-broker. You can also add other community or global i-names to your account that can act as synonyms for your community i-name.
* The community i-name registry is public. It does NOT contain any of y

Something like XNS. Imagine if every connection to your computer (on any port and for any reason) was automatically involve an exchange of terms and conditions. Imagine, a spammer wants to send you an email, first he or she would have to agree to the terms of your computers automatic policy of accepting unsolicited commercial email. You could make your policy require a payment from the sender of $10 (for example). Any spammer who does not accept your terms is automatically rejected. If the spammer makes the connection and agrees to your terms but then renegs on them, you now how a documented route to go after them in court.

And in what may be a coincidence, XNS (eXtensible Naming Service) released their specs this week also. Under their system you have a master set of data and then a number of ecards with subsets of that data. You might have a business ecard for colleagues and business associates, a personal ecard for friends and family, and so on. The system keeps track of which ecards you gave to which people so if you move or change data, the other people's ecards get updated.

I don't think it's really a contender, but try xns.org. The original aim seemed to be more or less what you describe, but they seem to have diluted it a bit since then.

I think XNS would be a much better choice, since it isn't controlled by one company like Microsoft. With XNS, you have full control over what information you provide.

This is why XNS (a next generation DNS replacement) needs to be adopted ASAP by the worldwide technical community. For example, here is the white paper on spam filtering. In a nutshell, if someone who is not on your acceptable email list wants to send you an email, they must first (and this is all automatically handled by the software) accept an agreement which dictates your exact privacy requirements. If it is a personal email with actual valid content, clearly they will simply accept the agreement and automatically be added to your list. On the other hand, bulk email spammers (hereafter referred to as "Dickwads") will probably not like the section talking about your fees for accepting bulk advertising. :)

This is why XNS (a next generation DNS replacement) needs to be adopted ASAP by the worldwide technical community. For example, here is the white paper on spam filtering. In a nutshell, if someone who is not on your acceptable email list wants to send you an email, they must first (and this is all automatically handled by the software) accept an agreement which dictates your exact privacy requirements. If it is a personal email with actual valid content, clearly they will simply accept the agreement and automatically be added to your list. On the other hand, bulk email spammers (hereafter referred to as "Dickwads") will probably not like the section talking about your fees for accepting bulk advertising. :)

AOL (who happen to be quite big ;) have their own login / account system which they are doing alongside a few other big names (perhaps Sun?).

The name is Liberty Alliance, so make a note of that.

This has been mentioned on the XNS mailing list. Have a look at XNS - they are doing a single login / identity management technology.

(BTW, in case you missed it - AOL has been paying for developers to work on the world's greatest browser to replace IE in AOL's software.)

There seems to be a feeling that big movements at XNS could occur in the many weeks/few months time frame which is not that long, but since we have just passed the one year anniversary of OneName's and XNSorg's rollout of the XNS implementation of the single-signon/universal name/self-updating ecards, and there has been little further movement visible from outside - people are starting to get frustrated.

I think that there is a real worry that while XNS was one of the first boats to leave the dock, one of the less-open boats could well make it out of the harbour before them.

I am hoping that it will turn out that one of these industry groups like the "Liberty Alliance Project" will be using XNS technology as their underlying foundation and that the open specs and open source implementations will win the day, but it is frustrating to not hear much new information from XNSorg.

a distributed lookup service which could hold information defined by schemas written in XML. The first application was/is personal info. It's been around for a couple years, and has a public trust organization defining the community, hopefully alleviating people's worries of one company taking over. So what's happened to it? I guess it doesn't have the backing of sun or ms :)

the underlying software will be open source, although I don't think most of it is written yet. The only current implementation of the server is done by the closed source company who's idea this all was, onename.

And for those of you mac old-timers, the head of the public trust organization is Adam Engst!

a distributed lookup service which could hold information defined by schemas written in XML. The first application was/is personal info. It's been around for a couple years, and has a public trust organization defining the community, hopefully alleviating people's worries of one company taking over. So what's happened to it? I guess it doesn't have the backing of sun or ms :)

the underlying software will be open source, although I don't think most of it is written yet. The only current implementation of the server is done by the closed source company who's idea this all was, onename.

And for those of you mac old-timers, the head of the public trust organization is Adam Engst!

From the FAQ:
This contract specifies the privacy and security terms governing the data to be exchanged, including the specific privacy permissions and synchronization permissions granted by the data owner.

From the FAQ:
This contract specifies the privacy and security terms governing the data to be exchanged, including the specific privacy permissions and synchronization permissions granted by the data owner.

Having to carry all that information with you (maybe in a PDA or something?) if you want access to it is an additional burden.

Perhaps having an open standard for exchange of this type of information such as done by http://xns.org/, would allow multiple competing agencies to act as costodians. Give people choice and perhaps some of the control and privacy (and cost) issues would be less pressing than if all data was held by a single player such as Microsoft.

The article by Michael McCandless (stupid PDF file!) addresses some of the issues that XNS tries to address - albeit with the idea of the personal information residing on your network connected home computer rather than on an XNS-server run by some company that you decide to trust.

Now if XNS would get around to releasing their open source code examples and the detail technical specifications perhaps there could be more motion to widespread adoption. They claim plans to do so "real soon now".

With that said, XNS's ecard address book features are pretty nifty even at this early development stage.

XNS (extensible name service) already addresses some of this. See their webpage for general information, or this page for a nutshell description

XNS (extensible name service) already addresses some of this. See their webpage for general information, or this page for a nutshell description

The article does a good job of articulating specific issues with the Microsoft's Passport system. Other people have suggested that we should perhaps look to XNS or other open source single signon systems. However, I believe they are missing an important piece.

This is important because users tend to pick poor (guessable) user names and passwords ...

Yes, that's right. What good is a strong single signon system that auto authenticates distributed sites, when the single signon itself may be weak? How much will 3DES encryption protect you when your password is "Swordfish"? You may recall the slashdot article that discussed how the average person tends to do a poor job of picking a secure password.

Fundamentally, Microsoft's passport or any other single signon system is as weak as their weakest link. Which, in many, cases appears to be the original signon authentication. I don't see them really catching on until that problem is better addressed.

These systems will have a much better chance when biometric authenticators become ubiquitous. Then hackers will have a much harder time impersonating you at the single signon.

However, no single signon system is perfect and the world is going to get a whole lot nastier when biometrics arrives en masse. Someday, we'll wax nostalgic about happier times when hackers only attacked computers and didn't pull out your eyeball to break into your bank account. I just saw Demolition Man recently in which Wesley Snipes does a very nice job of faking out a retina scanner with this method - truly gruesome.

Bah, none of these single signon systems for me. I'll just stick with my secure method of appending the site url to "password". Even if someone compromises one password, they won't know the rest!

Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed. I think that XNS has a chance of doing this type of thing better than any of the closed source alternatively like Passport.

Why bother writing an OSS version of .Net?

The same was said about Java: "We already write e-commerce apps in Perl. Why should we bother to learn something new and support Sun's closed effort?" It's just one more tool on your belt, and if it proves to be a useful tool, people will use it.

The danger -- which I think neither article presented clearly -- is that .NET will grow in popularity with most websites using Passport for authentication since it will be available and supported by Microsoft. Once a critical mass of consumers and companies are all using Passport, switching to something else will be difficult.

If the OSS community doesn't create an alternative to Passport that is entirely interoperable, then Microsoft will have created their own Internet Sales Tax. Petreley's worry is that by creating our own .NET without our own Passport, we will help Microsoft lock-in the consumers to Passport.

My worry is that Microsoft will not make the Passport API public. They'll say, "Sure, write your own .NET to the spec and support us, but you can't implement an interoperable authentication service." If that happens, you can bet Ebay isn't going to want to write two authenticationo access schemes.

It needs to be as simple as having an email address: user@auth.foo.com. Knowing only your address, I can send you email.* I don't have to ask if you're using Outlook or PINE before sending a message. Compare that to instant messaging: AIM, ICQ, MSN, and Jabber. They all provide the same core set of services, but each with their own API, so I have to deal with more software and protocols.

If other companies and OSS are able to code to the same authentication API that Microsoft is developing in Passport and Hailstorm, then I'm happy. However, Microsoft has a history of sharing halfway (shared source is the latest example).

* The downside -- easily addressable when creating a new system -- is that advertisers can send email to random addresses with the receiver bearing the cost. A good security model could block this possibility. XNS is a good start.

Peace PatientZero

As far as I know anyone can set up a Passport server. There's also an alternative technology already, and it looks very nice IMHO. I'm not sure what the author of that article espects of Ximian, should they spoof the Microsoft passport server perhaps?

About Mono itself, I honestly just don't see what's wrong with creating technology. We (well, not I :D) have made Wine, Word-compatible word processors and ActiveX support for Konqueror and Mozilla (the latter is for-pay though), and this has done nothing than benifit us. Supporting a technology isn't going to do any harm to us, not supporting something could be desastrous OTOH.

We need to make a system of decentralized authentication. So a user can put in "bob@bob.com" and the auth system will look up authentication information by looking up the authentication host for bob.com. This will create a system in which people can use familier email addresses for ID's. This is a very simplified explanation, but I think people understand the basic idea. I *thought* that Ximian would try to do the same thing, but apparently not!

I worked at a company whose goal was to create a system like this. For now, check out www.openprivacy.org or www.xns.org! We need to create a system that competes with Passport! It's crucially important!

Once an open system like this is created then people can realize the examples in the Hailstorm white paper (e.g. automated travel reservation, etc) using a completely open and standard system. People could still make money by building applications that use this platform. For exmaple:

Automatically schedule a movie with 5 friends on Friday and send an electronic ticket to your cell phone once everyone agrees on a time.

What other viable, non-vapor authentication alternatives are there that would offer the same seemless convenience, and that don't need "monopoly leverage" to reach critical mass? Not many-XNS might have a slim chance.

Gatekeepers and keymasters...

Agreed. Let's use some of the emotion that the "All your credit cards are belong to Bill" MS Passport ploy is bringing out to good effect. Winer is a high profile guy to bring this to mainstream attention, and will undoubtedly contribute ideas too.

Also, please understand that the discussion and design issues around such a system have been maturing for quite some time (at least a year in public, and some small number of years prior to that privately) over at xns.org. How does a legally enforcable privacy contract between yourself and any entity wishing to use your data stored on the XNS server strike you? Put contract law on your side, for once.

Don't read Dave's proposal without also giving XNS-org's a twirl as well. They seem to have thought out most of the obvious and many of the less obvious problems.

Dave suggests that he's got XNS on his radar, so he might have some of this in his head, but not yet on paper...

I think that this already exists - have a look at xns.org

Graham

Fortunately there's an alternative provided by IBM and put under a non-profit organisation. I'm hoping this will get big.

Personally, I think that the open source, non-profit, privacy contract system, put together by http://xns.org/ is the way to go.

Check out www.onename.com and www.xns.org for the solution to spam. I've posted this comment many times, and most people don't seem to see it as it's usually on a topic not visible from the main slashdot page (nice design there, Slashdot).

I've also had it rejected as a Slashdot topic. I guess only articles COMPLAINING about spam, as opposed to SOLVING IT get posted.

I'm no longer really in the mood to write up a complete explanation of how it's going to work, but trust me (I used to work for the company), the end of spam is nigh.

What you described sounds a lot like XNS. The software is all open source, although commericial service providers are needed to make it go. One of the service providers owns the key patents, but they have committed to royalty free use for their competitors.