Drummond Reed; Web identifiers are broken

Drummond mints a corollary to one of Kim Cameron’s Laws of Identity;

The identifiers in a universal identifier metasystem MUST only reveal information identifying a user with the user’s consent.

… and follows it up with this bold claim;

So half the Web breaks this corollary before we’re even out of the starting gate. But it gets worse. Look at one of the current bulwarks of online identification: DNS. A standard requirement for most DNS name registries is accurate, current contact data for the registrant that is published publicly as “Whois” data. Although many registrars now offer proxy registration services to preserve registrant privacy and prevent spam, there’s no escaping that a major component of our current Internet identifier infrastructure breaks the First Corollary squarely in two.

Hmm, how exactly does Web/Internet/DNS breaks that corollary? I can’t see it. Is it because of DNS (and if so, why the “it gets worse” comment)? DNS does certainly require a small amount of information be made available, and though I’m hardly a historian, the little I do know of the history of this data suggests that it represents the minimum amount that a mature industry – which has had to balance the needs of domain owners (anonymity) with those of the public at large (accountability) over many years – has reached concensus on requiring. So I doubt that any competing centralized solution would be able to reach widespread deployment without, in the steady state, providing a similar amount of info about registrants.

Also, who says that there’s a direct correspondence between a DNS name and the person who uses the email address? I don’t own gmail.com, nor yahoo.com, yet have email addresses at both of those domains. Google and Yahoo, in offering an email service, provide a degree of anonymity via proxy; if you want to learn more about me there, you have to go through them, and I’m not required to publish any info about myself there. Hushmail‘s probably the extreme case here, as they seem to exist to provide as-anonymous-as-possible email services.

As you’d expect from a chair of the XRI TC, he then claims that XRIs don’t have this problem;

So can XRIs fix this problem? Yes. The first principle of XRI architecture is that XRIs are abstract – the association between an XRI and the real-world resource it represents is entirely under the control of its XRI authority (the person or organization registering the XRI, at any level of delegation). So nothing in an XRI need reveal anything about the authority’s identity or messaging address.

… which, as I’ve shown, is also the case with even DNS-bound URIs.

Leave a Reply

Your email address will not be published. Required fields are marked *