OpenID for content

2008-01-08 3-minute read

Every day we post content on web sites run by people that we trust, or know a little, or don’t know at all, or in many cases explicitly don’t trust, or really, just about every variation within these categories of trust. Even with people we know and trust, we often have no idea how secure their systems are or how reliable their backups are.

OpenID directly addresses this concern, by asking: why would you entrust your password and identity to all of these websites run by people that we don’t know? With OpenID, the answer is: you shouldn’t! Instead, pick a single trusted provider to store your password and verify your identity. Then, any web site, trusted or not, directs you to your trusted identity provider to verify your identity and, provided the response is positive, lets you in without every needing to touch your password.

Then, satisfied and feeling secure, we proceed to pour hours and hours into writing posts, comments, how-to’s; uploading music, artwork, and and photos; and engaging in critical dialogues all of which could disappear permanently with the flip of one switch, the exploit of a single vulnerability, the sale of a corporation, or the disappearance of a collective.

What if we had a different model for content on the web?

What if, like with OpenID, we chose a trusted content publisher and published all of our content there? What if web applications allowed you the option: publish your blog, comment, photo, etc. on our servers - or publish on your open content enabled provider and leave a link on our server? The web application would display the content exactly the same - whether it was stored on their server or stored on your trusted provider’s server.

This setup in no way ensures that an untrusted web site won’t change your content before displaying it, or delete the post by deleting the link back to you, or do any number of devious and evil things. However, they won’t be able to delete or change the actual content that you wrote. The content is under your control.

A somewhat obvious criticism comes to mind: this approach means that if your trusted provider has a disaster, you could lose everything you’ve ever published on the Internet. Well, yes, that’s a problem. With the current paradigm, if a web site goes down, you’ve lost everything you’ve contributed to that web site, but not everything you’ve ever contributed anywhere.

On the other hand - wouldn’t you like a system that could allow you to download to your own computer everything you’ve written online with the click of a single button? While you are increasing the liklihood that a single mess-up could do very significant damage, you are at the same time giving yourself a degree of control over your data that is impossible in today. While your provider should certainly make their own backups, you could easily make an extra backup whenever you wanted. And, with the ability to easily backup your own data, you could also easily move to any provider you want at any time.

After re-reading what I’ve written - this idea seems really un-original. Isn’t this what http was designed to do?