September 2007

MicroID

As part of one of the more deeply nested yak shaving exercises I've been working through recently, I have added MicroIDs to various pages on this site. For example, the header for the main index page for this blog now includes the following elements:

<!-- MicroID for '/' variant of URL -->
<meta name="microid"
  content="mailto+http:sha1:b887e662ed3d811e665ef4a034e018a521a5467d" />
<!-- MicroID for '/index.html' variant of URL -->
<meta name="microid"
  content="mailto+http:sha1:ed938d07588303f4eeee45adfef090221e0c692e" />

A MicroID is a very simple way of making a verifiable statement about the ownership of a page. The specification goes into more detail, but essentially the value you see is constructed by independently hashing your e-mail address and the URL of the page in question, concatenating those results and then hashing once more.

The way you use a MicroID in practice is as supporting evidence for a claim of ownership to some third party who already knows your e-mail address. If you say "I own that page" to such a third party, they can compute the same MicroID value from your e-mail address and the page's URL and then check for a match within the page's <meta name="microid"> headers. You can see this claim checking by looking at the "verified" links in my claimID profile.

MicroID is an improvement on the perhaps more obvious approach of just embedding your e-mail address in the page because it doesn't reveal your e-mail address to things like spam address harvesters. It also improves on a simple hash of the e-mail address by including the URL in the calculation because all pages owned by the same e-mail address are thereby given different MicroIDs. This in turn means that pages can't be grouped together, even anonymously, by web spiders. Looked at from this point of view, a MicroID is a salted hash of the e-mail address.

I'm pretty sure that you could do the same job with one or even two less hash operations (for example, the URL is known by definition, so hashing it serves no purpose that I can see), but for static pages performance is not a concern. If I was running a large content site with dynamically generated pages, though, this aspect of MicroID might put me off a little.

Note that although a MicroID looks a little like a digital signature (of the URL) it really isn't; in particular, a MicroID can easily be repudiated because anyone knowing your e-mail address can generate MicroID values "for" you and put them on any pages they please. In other words, you can use it to help confirm ownership of something by a claimant, but not to prove ownership by someone who denies the connection.

Generating the MicroID values for blog pages in particular was made simpler for me by Phil Windley's MicroID plugin for Moveable Type. I did have to tweak it a little to correspond to the current MicroID spec, as Phil's plugin as distributed generates what is now thought of as a "legacy" format lacking the scheme and algorithm specifiers.