There are definitely some similarities since they are both ... • Aaron Parecki

@goto https://twitter.com/samuelgoto • Oct 7
Ok, I did look into this more carefully and I remember running into this earlier.

How does this relate to OIDC? Is it fair to characterize it as an alternative to it that operates on the same level/layer (e.g. both are extensions to oauth?)?

There are definitely some similarities since they are both adding an identity layer on top of OAuth. IndieAuth is a much smaller surface area tho and does less stuff. Some more details here: https://indieweb.org/How_is_IndieAuth_different_from_OpenID_Connect

Portland, Oregon • 48°F

Thu, Oct 7, 2021 9:20pm -07:00

23 replies
Have you written a response to this? Let me know the URL:
- @goto twitter.com/samuelgoto
  
  Right, the time frames / shelf life seem to matter. FWIW, random numbers (as directed identifiers) should work equally well here.
  
  Fri, Oct 8, 2021 5:14am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Maybe, but at the end of the day I would assume any crypto will eventually be broken, so it's a game of picking good enough algorithms to avoid correlation in a timeframe that would be a problem.
  
  Fri, Oct 8, 2021 5:10am +00:00 (via brid.gy)
- tim cappalli twitter.com/timcappalli
  
  Hm ok. I'm literally quoting your doc. If the doc is incorrect and/or now dated, just let me know.
  
  Fri, Oct 8, 2021 4:58am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  I'm going to stop replying on this thread.
  
  Fri, Oct 8, 2021 4:55am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  Ah that's indeed a reasonable distinction. Still seems like solvable? Like Signal that uses a master identifier and then ephemeral (yet stable) ones?
  
  Fri, Oct 8, 2021 4:54am +00:00 (via brid.gy)
- tim cappalli twitter.com/timcappalli
  
  "The first principle can be solved by the user agent insisting on a progressive disclosure of identification, starting with the minimal disclosure for the most constrained use (e.g. a directed identifier that is recoverable between devices)" 🤔
  
  Fri, Oct 8, 2021 4:48am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  But there's a big difference in relying on a specific hash function for something that won't matter a day from now (validating an ID token) vs something that can be correlated years later (hashed identifiers in logs)
  
  Fri, Oct 8, 2021 4:47am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  Sure. I'm sure one could find a hashing function that would age well (I'm making an assumption :) but a lot of stuff breaks if one doesn't :)).
  
  Fri, Oct 8, 2021 4:45am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Relying on sha256 as the end of the story seems like a thing that also won't age well. It's only a matter of time until we see sha256 the way we see md5 today.
  
  Fri, Oct 8, 2021 4:44am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  Was enforcing any part of this discussion?
  
  Fri, Oct 8, 2021 4:42am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  I actually thought I had already joined, but I haven't yet actually joined a meeting. It's a lot to keep up on with all the other spec work I'm in the middle of 😅
  
  Fri, Oct 8, 2021 4:42am +00:00 (via brid.gy)
- tim cappalli twitter.com/timcappalli
  
  That was fast @aaronpk. Welcome :)
  
  Fri, Oct 8, 2021 4:40am +00:00 (via brid.gy)
- tim cappalli twitter.com/timcappalli
  
  The user is actively choosing to provide an identifier they know. It's not unsanctioned tracking. RE: Firefox, hinting is not the same as enforcing or intercepting.
  
  Fri, Oct 8, 2021 4:40am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  Does the trick for preventing tracking. Browsers (Firefox?) do that on input boxes type=email in autocomplete.
  
  Fri, Oct 8, 2021 4:37am +00:00 (via brid.gy)
- tim cappalli twitter.com/timcappalli
  
  Does the trick for what? Browsers are not an active party in identity flows.
  
  Fri, Oct 8, 2021 4:35am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  A directed identified is still a stable identifier for a user. If an RP wants to revert it it is looking into correlating the user with another RP.
  
  Fri, Oct 8, 2021 4:35am +00:00 (via brid.gy)
- tim cappalli twitter.com/timcappalli
  
  Aaron, please join the W3C Federated ID community group so we can discuss these use cases
  
  Fri, Oct 8, 2021 4:34am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  LMK if you run into a good formulation. FWIW email may be a good analogy and source of inspiration. In browser land, SHA256(user + RP)@idp.example does the trick.
  
  Fri, Oct 8, 2021 4:33am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  I'm actually really interested in this particular problem right now since Sign In with Apple is probably the biggest example of differing IDs per RP yet the first thing the RPs want to do is resolve that back to an identifiable user.
  
  Fri, Oct 8, 2021 4:32am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Oh yeah, that's intentional. It'd be interesting to explore what it could look like otherwise tho.
  
  Fri, Oct 8, 2021 4:27am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  No, in the sense are these designed such that two different RPs get the same global identifier for the same user?
  
  Fri, Oct 8, 2021 4:25am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Do you mean when there's a viable replacement for DNS? We can cross that bridge when we come to it.
  
  Fri, Oct 8, 2021 4:24am +00:00 (via brid.gy)
- @goto twitter.com/samuelgoto
  
  "Because these URLs rely on the public web and DNS, they are guaranteed to be globally unique." -- ugh, is this a feature or a bug? I feel like this isn't going to age well :(
  
  Fri, Oct 8, 2021 4:22am +00:00 (via brid.gy)

Posted in /replies using monocle.p3k.io