December 2017 - Data Protection & Privacy | Social Media | DNS | Connectivity

Building Easy and Open Online Identities with DomainID

Social media accounts are becoming common identifiers for logging on to 3rd party websites. But what happens if you want to delete your Facebook account? Vittorio Bertola introduces a new framework for open online identities.

Login DomainID

© FotoCuisinette |

No matter how you use the Internet, I can almost guarantee we share a problem: managing our online accounts.

As websites and services strive to deliver a customized user experience, each and every one of them prompts you to register. They want you to provide a username, a password, and some information about yourself – most of which is always the same. Inevitably, you spend five minutes typing everything in again. You reuse the same password that you’ve already used for countless other websites, because there are only so many passwords that you can remember.

Then the website will complain that, according to their extremely strict security policy, your standard password cannot be accepted, because it cannot contain more than two numbers. It needs to contain at least three punctuation signs. It needs to include at least one lowercase letter, one emoji, and the transcription of an animal’s sound.

A few smart people use password managers, which still have several problems (try losing the master password to your password manager). But the average Internet user will simply opt for the easiest and often least secure option, and then usually end up hitting the “forgot your password?” link anyway.

In the last couple of years, an alternative solution has emerged: Internet-wide single sign-on services run by the big OTTs. There is such a desire for this simple solution that almost all websites quickly started to let you “login with Google” or “login with Facebook”. Or with Twitter. Or with all of them: just pick one of a list of ten providers and use their credentials.

This is very convenient, but do you really want an American company whose business is based on monetizing user information to know all the places that you log into, track you as you move among these services, and exchange information on you with them?

This is why a group of European technical leaders that care about openness and freedom – Open-Xchange, 1&1 and Denic – have decided to develop an identity management framework that works just like those of the OTTs, but empowers the user rather than the provider, and protects the user’s privacy and digital freedoms.

This framework builds on an existing standard, OpenID Connect, which is the same one that Google and Facebook are using, but extends it to add the features that are necessary to create a single, public identity standard that everyone can implement in an open and interoperable manner. Though it could be marketed with other names, initially we called it DomainID.

DomainID allows you to use your own email address, or a hostname in an existing domain name, as an identifier, and uses the Domain Name System (DNS) to let users specify which company is managing your identity. If a user chooses to locate their identity inside their own personal domain name, they are then able to change their identity manager just by changing a record in the DNS. They can buy their identity service from a company, but then, if they lose trust in that company, they can just move it to another one.

In fact, a user could buy their identity service bundled in with their domain, provided by a domain registrar also acting as “identity agent”; and to give additional security, user credentials would be secured by a trusted third party such as Denic, acting as “identity authority”.

DomainID allows any number of identity agents and identity authorities to exist; you could even run yours off your own server. All the identities interoperate; websites only need to implement the client part of the standard once, and any identity from any authority and agent immediately works.

Only the identity authority actually gets to know a user’s password – this is the only place where the user needs to log in, and therefore needs a password. The authority can implement any additional security standard, such as two factor authentication, and it is immediately effective for all logins. And if users are concerned about using the same identifier to log into all of their accounts they can create additional ones; exactly like people now use different email addresses to sign up for different services.

But there is more: If desired, customers can decide how much information to provide to their identity agents. A business identity and a separate personal identity? A pseudonymous identity? All possible.

Then, when users access a website for the first time, there is no need for them to re-register; they just log in with their identifier, and authorize the website to access only the specific information that they want to share with them.

This may seem like an impossible dream, but the technology exists; we already have a working prototype, and we are publishing open specifications and encouraging people to join the effort. 

We think that this is not just useful, but crucial for the future of the Internet. There is no doubt that an effective and open identity management system is necessary. Efforts by governments to produce one (for example, the eIDAS European project) proceed slowly and would result in users having to provide true names and addresses for each and every website visited, which is great for online banking, but overkill for many less important services.

If the Internet community cannot produce an open standard and have it widely adopted, it is very likely that we will be left with a few non-interoperable, closed, opaque systems – and we will all lose an important chunk of our digital freedom and privacy.

We strongly believe that the DNS – the decentralized directory of the Internet – should continue to act as a central element of its future architecture. It should be used to look up people as well as domains. For the many companies that revolve around the domain name architecture, keeping the DNS relevant is a major strategic issue: one more reason to adopt and promote DomainID!

So, if you are an ISP that wants to provide DomainID identifiers to your customers, or if you are a website that wants to accept them, contact us, download the specifications, and start building the future of online identities with us!

Read Vittorio Bertola’s article on Bringing Order To The Digital Wild West From The Bottom Up in the March 2017 issue of dotmagazine.

Vittorio Bertola is Research & Innovation Engineer at Open-Xchange, a global leader in services and free software for the Internet's email and DNS infrastructure, where he takes care of research and innovation activities, leading projects to invent and develop new products; he is also responsible for the company's policy activities. Previously, he worked as a freelance consultant, as a website developer and as partner, founder or CTO in several Internet start-ups in Italy. He is also a digital rights activist, dealing with Internet policy at the national and international level for the last twenty years.

Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.