MicroID
Encyclopedia
MicroID is a decentralized identity protocol. It was originally developed in 2005 by Jeremie Miller
http://microid.org. A MicroID is a simple identifier comprising a hashed communication/identity URI
(e.g. Email
, OpenID
, and/or Yadis
) and claimed URL
. Together, the two elements create a hash that can be claimed by third party services.
Ben Laurie demonstrated privacy problems with it in 2006
, as did Chris Erway in a Brown CS Technical Report in 2008
, in pseudocode
:
MicroID = sha1( sha1("mailto:user@example.com ") + sha1("http://example.net/ ") );
The computed MicroID would then be placed on a web page to be claimed. A verifier, which would independently generate the MicroID, would then visit the page to see if the generated MicroID is the same as the MicroID on the page. If they are the same, a claim exists.
MicroID is based on a communication URI. Since both the MicroID provider and verifier can verify the communication URI, a proper MicroID implementation allows for trusted identity claims.
the content URI is known for comparison purposes, a MicroID claim can be forged by anybody who
knows the communication URI (e.g. email address) associated with the identity.
In particular, since a verifier must generate the MicroID in order to compare it, it follows
that any party who is trusted to verify a user's MicroID must also be trusted to generate new
authorship claims with it.
So if you can verify - you can forge.
Or in other words anyone (e.g. Alice) who can verify someone (e.g. Bob) their MicroID on a resource 'X' can also generate (spoof) a MicroID on any other document (e.g. Alice can generate a valid MicroID for a document Y, not equal to X, in Bob's name).
Assuming the identity is not known (e.g. 1) the publisher has chosen to remain anonymous and 2) denies others the ability to verify the MicroID claim until a time in the future when he or she reveals her identity) then someone with email addresses can perform a trivial dictionary attack to find ownership of resources,http://www.links.org/?p=85 someone with a URI can perform a trivial dictionary attack to find an email address.http://yro.slashdot.org/yro/08/08/28/2241238.shtml
So the (only) remaining usecase is where an entity generates a strong cryptographic nonce (e.g. a UUID); uses this to publish documents over time—and at some time in the future reveals the UUID as to prove that he or she wrote those documents (and accepts that from that point forward anyone can make any claims on his or her behalf).
However, research on popular social websites such as Last.fm, Digg and ClaimID show that a brute force attack can decrypt the email address in 20% to 25% of the cases.
The brute force attack guesses email addresses derived from the public user name and other information available on the social websites, and thus only checks a dozen or so candidate addresses per MicroID. Despite this, the study showed a simple attack like this one could still be successful one quarter of the time while spending a fraction of a second to check all candidates for each user. The hashing scheme thus does not guarantee the privacy of the email address.
Jeremie Miller
Jeremie Miller is the inventor of Jabber/XMPP technologies and was the primary developer of jabberd 1.0, the first XMPP server. He also wrote one of the very first XML parsers, in JavaScript. He began working on Jabber in 1998....
http://microid.org. A MicroID is a simple identifier comprising a hashed communication/identity URI
Uniform Resource Identifier
In computing, a uniform resource identifier is a string of characters used to identify a name or a resource on the Internet. Such identification enables interaction with representations of the resource over a network using specific protocols...
(e.g. Email
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
, OpenID
OpenID
OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...
, and/or Yadis
Yadis
Yadis is a communications protocol for discovery of services such as OpenID, OAuth, and XDI connected to a Yadis ID. While intended to discover digital identity services, Yadis is not restricted to those. Other services can easily be included....
) and claimed URL
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
. Together, the two elements create a hash that can be claimed by third party services.
Ben Laurie demonstrated privacy problems with it in 2006
, as did Chris Erway in a Brown CS Technical Report in 2008
MicroID Exchange
Here is an example of a MicroID hashHash function
A hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys. For example, a single integer can serve as an index to an array...
, in pseudocode
Pseudocode
In computer science and numerical computation, pseudocode is a compact and informal high-level description of the operating principle of a computer program or other algorithm. It uses the structural conventions of a programming language, but is intended for human reading rather than machine reading...
:
MicroID = sha1( sha1("
The computed MicroID would then be placed on a web page to be claimed. A verifier, which would independently generate the MicroID, would then visit the page to see if the generated MicroID is the same as the MicroID on the page. If they are the same, a claim exists.
MicroID is based on a communication URI. Since both the MicroID provider and verifier can verify the communication URI, a proper MicroID implementation allows for trusted identity claims.
Security Limitations
A MicroID is essentially a content URI signed with an email address or other attribution. Sincethe content URI is known for comparison purposes, a MicroID claim can be forged by anybody who
knows the communication URI (e.g. email address) associated with the identity.
In particular, since a verifier must generate the MicroID in order to compare it, it follows
that any party who is trusted to verify a user's MicroID must also be trusted to generate new
authorship claims with it.
So if you can verify - you can forge.
Or in other words anyone (e.g. Alice) who can verify someone (e.g. Bob) their MicroID on a resource 'X' can also generate (spoof) a MicroID on any other document (e.g. Alice can generate a valid MicroID for a document Y, not equal to X, in Bob's name).
Assuming the identity is not known (e.g. 1) the publisher has chosen to remain anonymous and 2) denies others the ability to verify the MicroID claim until a time in the future when he or she reveals her identity) then someone with email addresses can perform a trivial dictionary attack to find ownership of resources,http://www.links.org/?p=85 someone with a URI can perform a trivial dictionary attack to find an email address.http://yro.slashdot.org/yro/08/08/28/2241238.shtml
So the (only) remaining usecase is where an entity generates a strong cryptographic nonce (e.g. a UUID); uses this to publish documents over time—and at some time in the future reveals the UUID as to prove that he or she wrote those documents (and accepts that from that point forward anyone can make any claims on his or her behalf).
Privacy Limitations
As explained above, a MicroID is a hash made from a public URI and a semi public email. Those who know both can verify the identity claim on a page. The hashing helps to hide the semi public email address to people that should not know it, in particular spammers.However, research on popular social websites such as Last.fm, Digg and ClaimID show that a brute force attack can decrypt the email address in 20% to 25% of the cases.
The brute force attack guesses email addresses derived from the public user name and other information available on the social websites, and thus only checks a dozen or so candidate addresses per MicroID. Despite this, the study showed a simple attack like this one could still be successful one quarter of the time while spending a fraction of a second to check all candidates for each user. The hashing scheme thus does not guarantee the privacy of the email address.
Architecture of a MicroID Claim
An example of a successful MicroID claim is as follows:- A user signs up for a web service. That web service verifies the user's email, and creates public web pages for the user that contain a MicroID. That MicroID comprises the hashed email (communication URI) and the URL of the webpage.
- The user then signs up for a verifier service. The service also verifies the user's email.
- The user inputs the URL of the page she wishes to claim into the verifier service. The verifier service computes the MicroID and attempts to verify the MicroID in the claimed page.
- If the MicroID in claimed page is the same as the one in the verifier service, a claim exists. The verifier will then claim ownership of the page.
MicroID and the DOM
MicroID allows for the claiming of semantic HTML elements. For example, a MicroID inserted in a block-level element will constitute an ownership claim of anything in the element. A MicroID inserted in the header of a page will constitute an ownership claim of the page. Claims are only verifiable at the granularity of URIs.Known MicroID providers
The following web services provide MicroIDs to their users:- ClaimIDClaimIDClaimID is a social networking site that allows users to create unique profiles that show their favorite websites and other biographical information. The goal of ClaimID is to help users collect and screen information created about them and by them on the web, which helps them manage their online...
- FilmwebFilmwebFilmweb is the second largest online database of information related to movies, actors and television series. Filmweb is Polish language site. It was launched on March 18, 1998....
- Identi.caIdenti.caidenti.ca is an open source social networking and micro-blogging service. Based on StatusNet, a micro-blogging software package built on the OpenMicroBlogging specification, Identi.ca allows users to send text updates up to 140 characters long...
- Ma.gnoliaMa.gnoliaGnolia, named Ma.gnolia until 2009, was a social bookmarking web site with an emphasis on design, social features, and open standards. It is now perhaps most notable for losing members' bookmarks in a widely-reported data loss incident in January 2009...
- WikitravelWikitravel-External links:* *...
- Chi.mp
- Huffduffer
Known MicroID verifiers
The following web services verify MicroID claims:- ClaimIDClaimIDClaimID is a social networking site that allows users to create unique profiles that show their favorite websites and other biographical information. The goal of ClaimID is to help users collect and screen information created about them and by them on the web, which helps them manage their online...
- WinkWink TechnologiesWink Technologies is the operator of Wink, a community-based social search engine. It provides people search across social networks, and Web search based on user input...
MicroID Resources
- http://microid.org - MicroID homepage
- http://microid.org/blog - MicroID blog
- http://lists.ibiblio.org/mailman/listinfo/microid - MicroID mailing list
- http://microid.org/code/ - MicroID Open source code