Equivalent OpenIDs

I’ve been having a big dilemma whenever I use an openid. Which do I pick from the 8 that could be me? Talking to Joseph Smarr at the Mozilla labs meetup we stumbled upon a solution. rel-me.

I should register on any site with an openid that supports at least 1 rel-me link. Most sites where you can set your “homepage” will add the attribute rel="me" on the link. That basically says that “I am also over there”. If you can only link to one homepage, just make sure that from that homepage you can link out to other things you own on the internet. If you can put multiple rel="me" links, then just list everything you own. I link to my friendfeed.com/ptarjan which has rel="me" links to all my other “stuff”.

Then when I log into any openid provider they should check the social graph to see if the openid I just used is equivalent to any other one. Google made a simple API to query the graph. This has one problem in that they crawl the graph recursivly on outbound links. Meaning they are trying to start at a webpage and find other things from there. That doesn’t stop me from saying that twitter.com/cnn is me. For identity you want to crawl the graph backwards. Similar as to how PageRank only trusts inbound links.

I made a YQL execute file (raw code) that will compute which URIs trust a given URI.

For example, if I log in with

http://paulisageek.com

then the website that I logged in to should make the YQL call

USE 'http://paulisageek.com/yql-tables/socialgraph/socialgraph.trustsme.xml'; SELECT * FROM socialgraph.trustsme WHERE q='http://paulisageek.com'

which returns something like

<query>
    <results>
        <result>
            <trustsme>http://www.paulisageek.com/</trustsme>
            <trustsme>http://www.linkedin.com/pub/dir/paul/tarjan</trustsme>
            <trustsme>http://stackoverflow.com/users/90025/ptarjan</trustsme>
            <trustsme>http://www.mybloglog.com/buzz/members/ptarjan/</trustsme>
            <trustsme>http://digg.com/users/paralax/</trustsme>
            <trustsme>http://www.google.com/profiles/114701835473476527933</trustsme>
            <trustsme>http://www.flickr.com/photos/ptarjan/</trustsme>
            <trustsme>http://www.linkedin.com/in/paultarjan</trustsme>
            <trustsme>http://twitter.com/ptarjan</trustsme>
            <trustsme>http://github.com/ptarjan</trustsme>
            <trustsme>http://www.hulu.com/profiles/ptarjan</trustsme>
            <trustsme>http://stackoverflow.com/users/90025/paul-tarjan</trustsme>
            <trustsme>http://friendfeed.com/ptarjan</trustsme>
            <trustsme>http://www.google.com/profiles/ptarjan</trustsme>
            <trustsme>http://www.flickr.com/photos/78332988@N00/</trustsme>
            <trustsme>sgn://twitter.com/?pk=14757201</trustsme>
        </result>
    </results>
</query>

and then walk down that list starting at the top, looking at all their user accounts to see if any matches. The first match is the account they should be logged into.

Every one of these trust relationships is explicitly put there by the user by a link with rel="me" so it can be trusted just as much as the original openid provider. For example, if there is a link on http://twitter.com/ptarjan with rel="me" to http://paulisageek.com, my twitter account is giving permission to paulisageek to modify any account it owns. If my twitter account were to be hacked to point to another place with rel="me", that is equivalent to the openid login for that URI to be hacked as well. All sites that I am aware of use the same credentials to edit the rel="me" link as for the openid identity login. With this assumption, the trust relationship is valid.

In conclusion, every site that is using openid, should check inbound rel="me" links to the openid URI. Using the socialgraph API I created a helper REST API that can be used to take any URI and find other URIs that trust it.

Posted on 28 June 2009 by Paul Tarjan

If you liked this, you might also like...