yet another distributed identity system (yadis)

Spotted on the blosxom mailing list: yadis stands for “yet another distributed identity system” and is the brainchild of Brad Fitzpatrick, lead developer of Live Journal. It’s simple and clever, and at minimum, it’s going to force others to state clearly why their more complicated systems are better. Here’s my first take.    (IPO)

Not surprisingly, the yadis spec is very similar to the Identity Commons single sign-on protocol (which will eventually be replaced by a SAML profile), except instead of XRIs and XDI, yadis uses URIs and FOAF. With Identity Commons, you log in with an i-name, which is a valid XRI. That XRI gets resolved, then points to your identity broker (what folks in the SAML world call an “identity provider”). With yadis, you log in with a URI (likely your blog URI, sans the protocol prefix). The application queries the URI for a FOAF file that contains the URI to your identity provider. The backchannel authentication is almost identical for both systems.    (IPP)

yadis is compelling because it’s simple and highly bootstrapped. You need very little additional infrastructure to get it working. Identity Commons relies on a global XRI infrastructure that is barely in its infancy, and it uses XDI for data sharing, which doesn’t even exist as a draft spec yet. (It’s far from vaporware, though, as some docs and code do exist.)    (IPQ)

Why the complexity? Is it just that =eekim seems more aesthetically pleasing as a username than eekim.com/blog/? Absolutely not.    (IPR)

The yadis doc says:    (IPS)

This is not a trust system. Trust requires identity first.    (IPT)

The i-name infrastructure addresses both the identity problem and the trust problem.    (IPU)

First, i-names are designed to be long-lived, whereas URIs are not. What happens when you get married, you change your name, and you decide to get a new domain name to reflect that? Will the new URI work with all your old accounts, or will you have to change them manually? Or, what do all the folks without a personal web site or blog (and no desire for either) use?    (IPV)

Second, XDI is designed with data contracts in mind. You can attach contracts to any piece of your profile data, and you can have different contracts for every entity with whom you deal. This is the biggest problem with FOAF.    (IPW)

That said, I think yadis is a very important development for two reasons. First, it may be an excellent intermediate step to i-name adoption. In other words, it solves an immediate problem easily, then has a natural evolution path to i-names once (or if) its inadequacies become a problem. Second, it’s a great reality check for the techies in the Identity Commons community. We still don’t have clear explanations of i-names or XDI, and the adoption path is still too high. I don’t think there are easy answers to these problems, but it’s important that we remain focused on these issues.    (IPX)

Finally, there’s a very good technical observation in the docs that is worth noting: SAML is not Ajax-friendly.    (IPY)