For the uninitiated, Namecoin is a decentralized, peer-to-peer naming system based on the cryptocurrency technology pioneered by Bitcoin. The use-case for Namecoin I’m about to describe was originally inspired by a post made by Joe Cascio called “Collateralized ID: Using Bitcoin To Suppress Sockpuppets.”
By John Light
P2P Connects US
May 11, 2013 During the “Respect Connect: Social Login That Doesn’t Suck” discussion at the Internet Identity Workshop, I held back from mentioning Namecoin because we were only looking for the attributes of a good login system rather than a technology. I would like to put forth that Namecoin can satisfy most, if not all, of the desirable attributes mentioned in that discussion. As a recap for those who weren’t there, those attributes (and I’m leaving out a couple that I couldn’t read from the back of the room) are: personal silence, ease of use, non-invasive, iterative identity, acceptance, private, and ubiquitous “connect.” Keep these in mind as I describe Namecoin and how it can be used for login purposes. For the uninitiated, Namecoin is a decentralized, peer-to-peer naming system based on the cryptocurrency technology pioneered by Bitcoin. The use-case for Namecoin I’m about to describe was originally inspired by a post made by Joe Cascio called “Collateralized ID: Using Bitcoin To Suppress Sockpuppets.”
A Namecoin app in your personal cloud can store and manage your identity information. It’s like your login passport: one thing that lets you in everywhere else. Each app can create multiple addresses which are comprised of a public/private key pair, the address being the public part and the private key stored behind the scenes.
Addresses can hold any number of namecoins, which are a unit of account on a distributed ledger to which you can attach certain attributes (up to 1023 bytes of data attributable per coin). You could have a coin for your name, a coin for your email, a coin for your URL, etc and those are stored forever in the blockchain. Each address can store namecoins associated with a different context in your life and can remain forever contextually separated from the other addresses as long as no coins are traded between them and you don’t reveal to anyone else that you control both addresses.
In the context of using Namecoin for “login that doesn’t suck,” you use a system like FIDO combined with the public key from your Namecoin address and you can authenticate in a very non-invasive, private way. You register the public key with the FIDO-enabled site, they deliver you a nonce, you authenticate with the private key in your Namecoin app (or a password/PIN associated with it), and you’re granted access. The password isn’t stored on another server, and you aren’t even required to provide a “name” (though I can imagine doing so would be easier for fellow community members than remembering you by NDtPuyg3adscr6HCE1GUiSsKPtA8ewKgz3). Important to note is that Namecoin attributes can change over time if the person who controls them so chooses. Separate records could be kept in the personal cloud on the activity of the controller of the public key for each site with which the public key is registered, which would allow user profiles to build over time. Also important to note is that one does not have to exclusively use Namecoin for this login scheme. I just used Namecoin as an example since you can also attach identity information to namecoins, which makes sense for building a user profile around an identity.
Acceptance of this login process is a hypothetical in this scenario just as much as any other: are companies going to want to give up control of the login process, when it often yields a juicy email address to which promotional materials can be sent? I would say that the opportunity for a company to connect with a personal cloud is as easy as offering a “subscribe to newsletter via XDI for special deals” button similar to the newsletter opt-in/out check-boxes which often accompany sign-up forms today.
The newsletter would just be delivered to a personal cloud instead of an email address. Another attractive feature which could drive acceptance by organizations is that this login method doesn’t make companies a target for password-yielding hack-attacks, since no user passwords are stored on their servers.
I look forward to seeing the solutions that the Respect Network and others come up with for “social login that doen’t suck.” There are undoubtedly many more possibilities, like non-intrusive brainwave authentication and other biometric magic.
Sign up to follow this blog to be notified when I publish the full story on IIW, including a special interview with Drummond Reed, co-founder and managing director of the Respect Network.
John Light is an eager participant of the Peer-to-Peer economy. Specializing in Bitcoin, personal cryptography tools, and social media marketing. Interested in using technology to help solve the world’s most urgent problems. Catch him on the bleeding edge.