Phil Windley has some interesting pointers on URLs as identities over in this post. This isn’t the first time I’ve heard of this, and I expect it won’t be the last. While I think the idea is good, and I hope to see it continue to grow. I am concerned that I don’t readily see a consensus on how to handle URLs changing hands over time.
Certificates have CRLs, and expiration dates. You have to get new ones, and no one can get your old certificate.
I, like many of you, have purchased several domain names over time. Some I held for a time and have let go. How can you assert who owned a URL at a point in time in the past? For example, this comment will still be visible for times to come. If I need to let my domain die, and someone else picks it up, do they now inherit the credit for all my deeds scattered across the internet? Does everyone simultaneously stop asserting that my identity is good, or can they still assert that the identity was good at the time the action was taken?
Time is something I’ve continually wrestled while developing internal systems at many companies. Most things have a period of validity. Many things require an occasional check that something was valid at a particular point in the past. Most software I’ve seen that deals with certificates doesn’t quite act this way. For example, if a person’s email certificate expires most S/MIME clients I’ve used will refuse to certify that the email was properly signed and sent and the certificate was valid as of the date it was sent. That’s what I care about when reading signed email. I don’t care that the person uses a different certificate today.
Similarly, if I leave a comment on a site, author an article that’s signed, or use a digital identity in some other way. I want my use of that identity, at that point in history, to be considered valid for all time.
Perhaps the real breakdown in this structure falls to locating a trusted time source. Perhaps it doesn’t matter so much if you’re willing to trust your own site’s time source, and some authoritative source’s answer to “what range of time is this identity good for.”
URLs as identity are useful. I used one at the beginning of this post to casually identify Phil Windley. I think that straightforward ideas like this have big potential to do good and be widely adopted. But, while I’m no expert on digital identity, in my opinion time does matter. Ignoring it will exhibit pain in the future. But right now, just about everything that deals with time in the OpenID Spec is crossed out.
Hopefully I’m clueless about a big piece of the pie.