*** Welcome to piglix ***

MicroID


MicroID is a decentralized identity . It was originally developed in 2005 by Jeremie Miller [1]. A MicroID is a simple identifier comprising a hashed communication/identity URI (e.g. Email, OpenID, and/or Yadis) and claimed URL. Together, the two elements create a hash that can be claimed by third party services.

Ben Laurie demonstrated privacy problems with it in 2006 , as did Chris Erway in a Brown CS Technical Report in 2008

Here is an example of a MicroID hash, in pseudocode:

The computed MicroID would then be placed on a web page to be claimed. A verifier, which would independently generate the MicroID, would then visit the page to see if the generated MicroID is the same as the MicroID on the page. If they are the same, a claim exists.

MicroID is based on a communication URI. Since both the MicroID provider and verifier can verify the communication URI, a proper MicroID implementation allows for trusted identity claims.

A MicroID is essentially a content URI signed with an email address or other attribution. Since the content URI is known for comparison purposes, a MicroID claim can be forged by anybody who knows the communication URI (e.g. email address) associated with the identity.

In particular, since a verifier must generate the MicroID in order to compare it, it follows that any party who is trusted to verify a user's MicroID must also be trusted to generate new authorship claims with it.

So if you can verify - you can forge.

Or in other words anyone (e.g. Alice) who can verify someone (e.g. Bob) their MicroID on a resource 'X' can also generate (spoof) a MicroID on any other document (e.g. Alice can generate a valid MicroID for a document Y, not equal to X, in Bob's name).

Assuming the identity is not known (e.g. 1) the publisher has chosen to remain anonymous and 2) denies others the ability to verify the MicroID claim until a time in the future when he or she reveals her identity) then someone with email addresses can perform a trivial dictionary attack to find ownership of resources,[2] someone with a URI can perform a trivial dictionary attack to find an email address.[3]


...
Wikipedia

...