← Back to context

Comment by drdaeman

8 months ago

Identity provisioning is an abomination that shouldn't have been invented. I used to be a fan back in mid-'00s, self-hosting an OpenID server, without realizing how the whole concept is so fundamentally flawed.

Identity is an innate and inalienable property of individual, not something that anyone else (another person, company/website, government or whoever else) can "provide". They can merely attest by providing a credential, by e.g. issuing a passport.

At least Webauthn got this right.

6 comments

drdaeman

Reply
jbjohns  8 months ago

But does this not make the assumption that the Identity being provisioned is exactly you and only you? I've always seen these identities as my pseudonym on some identity provider and use them in that manner.

I suppose I've used some identities in enough places that it would be hard to deny to certain entities that the identity was mine, but even in that case it's a small subset of entities which have seen the identity that could prove that it's me.

lolinder  8 months ago

Is there a practical consequence to this distinction between attestation and provisioning, or is it purely philosophical?

  • drdaeman  8 months ago

    For me personally, it's primarily philosophical - I don't want to be defined by someone else, only confirmed that it's, indeed, me.

    However, there are practical consequences. There are plenty of stories how people got their Google/Facebook/Apple/... accounts blocked; or domain name lapsed, for self-hosting folks - and thus lost "their" "identity" (quotes for a lack of better words).

    One can back up their credentials and attestations - losing a password (or a keypair) is preventable, since it's all first-party. One cannot back up a third-party service.

    • bloppe  8 months ago

      This is fair, but I appreciate having an interoperable standard nonetheless. I'm currently designing an auth system based on oidc where the first party service is itself an IDP, but you could also use a third party IDP like Google. So if you're worried about losing access to your Google account, you can use the first party IDP and set up an account, and if you'd rather not set up a new account, verify email, set up 2fa etc, you can just reuse your Google ID. Since they're both standard OIDC flows, it's not hard to support both (and many more)

      2 replies →