UserPreferences

Identity


Format

Author / PGP Key: The full text of the author's PGP key.
Author / PGP Key URL: URL to a page containing the author's PGP key, delimited by the usual tags.

Content / Detached signature: A detached PGP signature for the content item's data.

Overview

This is for uniquely identifying blog entry authors


Other extensions to author

These are currently lumped into BiblioGraphy.


Discussion:

[JoeMadia] Question: Should a single Identity map to a single single human person or should it also be allowed to represent groups or machines? I would prefer that identity be tied to a single person but it seems that some thought should be put into automated feeds (error logs, agent-like notifications, etc) as well.

[JoeMadia, RefactorOk] Data elements for a single person Identity: +1 on Canonical Uri and nickname/handle. I would like to add email (optional) and primary web page (optional). What about support for stronger authentication (Public key, pingback mechanism, etc) to help avoid Identity theft? Obviously this is not a problem today but it could be trouble in the future.

The simplest approach would be for the author to maintain a web page with identification (which may be merely a pseudonym) and a public key. This could be a weblog, a personal web page, or a page provided say by a weblog service. Any entry can be guaranteed to come from that "person". With that foundation, add features to distinguish between real persons, bots, PR agents, ....

(What is the prior art for simple distributed identity systems? Less grand than the "Liberty Alliance"(?) )

The network of relations among authors will be rich like that among weblog entries.

Projects:

[JimDriscoll, DeleteOk] I think this should generally refer to OpenPGP (the protocol) not to PGP (the product). I like GnuPG myself.

[NickChalko RefactorOk] Why only sign the "content". I think many of the attributes are also important enough to sign. Title,Date,Author, basically everything except the sigs themself. EntrySigning

[MichaelManley RefactorOk] Can the managing editor or some other authority sign the feed as a whole? If so, that could open up possibilities for mirroring of feeds without fear of the feeds themselves being compromised. On the initial subscription to a feed, the aggregator would connect to the feed originator and get the public key of the keypair used to sign the feed. The aggregator could pick up the feed from any mirror (or other distribution mechanism) and be reasonably assured that the feed had not been tampered with since the original publication by verifying the signature. Mirroring feeds with authentication, alongside whatever caching mechanism the transport provides, could mitigate bandwidth concerns for popular feeds (thinking of feeds distributed via bittorrent, for example). Also, should pointers to public keys be made part of the AutoDiscovery mechanism?


See also Foaf, Security, EntrySigning, EntryAccountability, CommentAuthentication


CategoryMetadata, CategoryModel, CategoryArchitecture