The idea is pretty simple. First prove what he calls a
communication identifier, say an email address. Then you can claim any resource by putting this hash:
In his blog, the inventor claims:
The most exciting aspect is that it empowers end users with absolute control while fully protecting their rights and privacy.
Errr, no. Firstly, privacy is not protected at all. Anyone with a list of email addresses (or other communication identifiers) can mount a trivial dictionary attack to determine which one owns which resource, and since the hash has to be published to all and sundry on that resource, harvesting hashes is easy.
Secondly, rights are not protected: once the attacker has discerned the communication ID they can easily claim resources that are not yours. In response to this criticism Jeremie says:
…why would you point to something that someone else spoofed?
How is the relying party to know that “you” are doing the pointing? If it is to be sure, then there must be some kind of strong authentication going on before pointing occurs. MicroID doesn’t provide this. But once you have a system that does, then claiming things in a strong way is easy – e.g. just state “this URL is mine” down your strongly authenticated channel, so why are we messing about with hashes?
Seems to me MicroID is cute but ultimately not very useful.
Incidentally, cryptoplumbers out there, if you are going to sign things with hashes, there’s a known construct for doing so: the HMAC. Use it, don’t invent your own.