ID4me: using the DNS as a directory for identities

By on 31 Aug 2018

Category: Tech matters

Tags: , ,

Blog home

Internet-wide identity management is one of the hot issues currently — dealing with hundreds of separate usernames and passwords is insecure and unfriendly for users. Increasingly, people use their social network accounts to log into websites, which works well, but forces you to allow either Google or Facebook to track all your logins — you don’t have a lot of choice.

So, we thought, can the Domain Name System (DNS) community come up with anything better? The ID4me project — originally launched by Denic, 1&1 and Open-Xchange, and now supported by several other players — is trying to do just that.

There are already open and widely adopted standards for single sign-on and personal information exchange (OpenID Connect/OAuth 2.0). What is missing is a federated namespace that would allow the distributed unique naming of identities, and a discovery mechanism providing a global database that could associate each identity to its identity provider, where the OAuth authorization flow can then take place.

Several startups try to do this with a blockchain, using it as the public ledger where everyone stores identifiers and pointers. However, a ‘public distributed ledger’ already exists: it’s the DNS! It is well understood, it has been working reliably for thirty years, it scales well, it is secure (if you deploy DNSSEC), it is federated, resource-effective, globally available, and well managed.

Thus, ID4me allows you to use any syntactically valid hostname as an identifier for your online identity — as long as you control the related zone — and uses a TXT record to store pointers to your identity authority (the registry that manages your credentials and authenticates you) and your identity agent (the ‘registrar’ that manages your service and your personal information).

The result is that any website can now implement a single login button that will work like those used by the social networks, but support any identity from any ID4me-compliant identity provider. This allows many more players to enter the market, and a lot more freedom of choice for end users — in fact, a few smart users may even choose to self-host their identity.

The standard also includes a way for websites to request specific information fields about the user; the identity authority, at the first login, will ask the user for consent to the sharing of this information. If the consent is given, the authority will generate a token to authorize the website to retrieve this information.

This puts the user back in control of what they share about themselves, and at the same time, saves them much hassle. You will never have to register and type your name, email and birthdate again; you just have to identify yourself when you log into a new website for the first time and click to share the information you want.

ID4me is an open standard, and a couple of independent Internet drafts have already been submitted to the IETF. We believe that it is also an opportunity for the domain name industry to:

  • Promote the continued relevance of the DNS by adding more types of content into it,
  • Create a new use for domain names beyond web and email, and
  • Drive the sales of personal domains.

A prototype platform is already up and running, free Java client libraries are available, and more and more partners are joining the effort. We are presenting the concept in several venues, such as the recent ICANN DNS Symposium in Montreal, and we encourage TLD registries, registrars, and ISPs to comment and participate in the project.

Vittorio Bertola is Head of Policy & Innovation at Open-Xchange.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please click the refresh button next to the equation below to reload the CAPTCHA (Note: your comment will not be deleted).

Top