Suppose a user had control of a name that can be looked up through DNS. Something like: dave.me or dave.easy.com, for example. The former would be done through a registrar, the latter by a web service. Suppose in both cases the user could define a file whose name would only be known to him. That's the password. When you sign in you'd enter the domain and the name of the file where username and password are requested. Then the site requesting a validated ID would make this request: If what came back is a 404, you're not authorized. If a 200 came back -- you're in. The body of the request could be something like a feed or an OPML file with info about the person. Basic stuff that any authenticated site is allowed to have. Seems that's about as thin as an ID system can get. And there's nothing innovative about it. We just need something like this that's quick easy for users to set up, with a name they're likely to trust. |