Anonymous asked:

since you are on a roll today. i find passwords terrible for pretty much the same reasons you do. BUT i am also a huge fan of fragmented identity, both for security and for social reasons, and every time i've heard people throw around solution-models for id over web they've hinged on some form of federated identity. i know you have a lot of opinions about id/auth; do you think it has to be this way? if not, are there good reasons for preferring federation that i've just missed somehow?

i am a fan of

BOTH

i can’t believe i have to use this as an example, but consider bitcoin wallets: you can have any number of addresses for the same wallet, and there’s no way to tell that they all belong to you.  (except for examining behavior, but that’s always a possibility.)

similarly i can spit out as many SSH key pairs as i want, and the only thing they have in common is that i have all the private keys in the same directory

hell even tumblr kinda works like this

i would like to see federated identity with the same sort of behavior: i have a single identity, but i can fragment it in arbitrary ways that can’t be obviously traced back to me

i would really like web identity to be powered cryptographically in general, though i’m no cryptographer myself so hell if i know how it would look.  but consider some things

  • generating unique keys for your credit card that are revoked after a single use (for single purchases) or can be revoked at any time (for anywhere you’d like to save your card info), so a data breach doesn’t mean you have to fuck around rearranging your entire financial life
  • keys provided by banks and schools and government agencies as partial real-world identity validation, so you can sign documents and open bank accounts without having to scan your signature or fill in trivia about how much money you have
  • anonymous keys provided by banks and schools and government agencies, so tightwads like google+ can require you to prove that you exist and only have one account, without actually knowing who you are
  • and of course the obvious benefits of federation like signing into some website (no registration required) and automatically having your friends and whatever show up

we’re having enough trouble getting plain federation to work though so i doubt we’ll see anything like this anytime soon

though, fwiw, mozilla persona will merrily let you sign into multiple federated accounts at once, and then just ask which one you want to use when you sign into a particular site

hmm i wonder if ultimately it’ll be easier to switch accounts with systems like this too

  1. lexyeevee posted this