Are you an EPFL student looking for a semester project?
Work with us on data science and visualisation projects, and deploy your project as an app on top of GraphSearch.
Concept
MicroID
Summary
MicroID is a decentralized identity protocol. It was originally developed in 2005 by Jeremie Miller . A MicroID is a simple identifier comprising a hashed communication/identity URI (e.g. email, OpenID, and/or Yadis) and claimed URL. Together, the two elements create a hash that can be claimed by third-party services.
Ben Laurie demonstrated privacy problems with it in 2006
as did Chris Erway in a Brown CS Technical Report in 2008
Here is an example of a MicroID hash, in pseudocode:
MicroID = sha1( sha1("mailto:user@example.com") + sha1("http://example.net/") );
The computed MicroID would then be placed on a web page to be claimed. A verifier, which would independently generate the MicroID, would then visit the page to see if the generated MicroID is the same as the MicroID on the page. If they are the same, a claim exists.
MicroID is based on a communication URI. Since both the MicroID provider and verifier can verify the communication URI, a proper MicroID implementation allows for trusted identity claims.
A MicroID is essentially a content URI signed with an email address or other attribution. Since the content URI is known for comparison purposes, a MicroID claim can be forged by anybody who knows the communication URI (e.g. email address) associated with the identity.
In particular, since a verifier must generate the MicroID in order to compare it, it follows that any party who is trusted to verify a user's MicroID must also be trusted to generate new authorship claims with it.
So if you can verify - you can forge.
Or in other words anyone (e.g. Alice) who can verify someone (e.g. Bob) their MicroID on a resource 'X' can also generate (spoof) a MicroID on any other document (e.g. Alice can generate a valid MicroID for a document Y, not equal to X, in Bob's name).
Assuming the identity is not known (e.g. 1) the publisher has chosen to remain anonymous and 2) denies others the ability to verify the MicroID claim until a time in the future when the use reveals their identity) then someone with email addresses can perform a trivial dictionary attack to find ownership of resources, someone with a URI can perform a trivial dictionary attack to find an email address.
Official source
About this result
This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.