say something

We Love Decentralization, We Hate Decentralization

For however long many of us have been caught up in the fact that we think the web should be as decentralized as possible because there just seems to be so many benefits to it. For example, file sharing was great with IRC, but became even better with the advent of peer-to-peer networking which used a decentralized model for sharing. It can be argued that the system never starts off as being decentralized since the source has to start from one point, but that is another discussion. With the idea of decentralization being around for a while now how much of the web is really decentralized though?

When we started 9rules we intentionally didn’t want to start a Network where we owned all the sites because the idea of having something decentralized appealed greatly to us. However, 9rules could be considered more of a hybrid model because the 9rules site itself could easily be considered the hub with all of the other sites sprinkled around it. Because of the decentalized system that we use we can grow or shrink at our own choosing without any worries of how it will effect us resource wise.

The biggest movement for decentralization though seems to be coming from Identity systems with OpenID getting the most press lately. The idea is that if everyone uses the OpenID then you no longer have to worry about remembering a thousand different logins and you can focus on having one identity on the web. A great thing right? Well not so fast, let’s think about this one for a second.

Offline don’t we have a system that identifies us as unique individuals already (at least in the United States)? Yes, and its our Social Security number. What happens though when someone gets a hold of it and uses it for themselves? Lots of bad things can happen. A couple of years ago my credit card company called me to inform me that some woman shared the same SSN as me and after doing some more research found out that she was an illegal immigrant.

What can you do though once someone has your identity? You can get your SSN changed and then proceed to change the one million other accounts that use your SSN as their basis of information which becomes a pain in the ass. That one point of identification can be great for a lot of things, but once things go bad they can go really bad.

Large corporations with datacenters never maintain their data backup in the same place as the live storage because what if something were to happen with the building? They decentralize their data to provide failsafes and this provides another level of security. Maybe I’m not versed enough with OpenID to understand all of its logistics, but what happens if my one single ID gets corrupted or stolen? What do I do then?

When building my.9rules we had two options:

  1. Build a system that was the end all solution for all your needs: photo storage, blog creation, video hosting, etc.
  2. Build a system that utilize your accounts from all over the web.

Option #2 is what we envision as the decentralized way of doing things and that is what we like. What if you have everything on MySpace? Your photos, blog entries and videos and then one day they just shutdown without warning? What are you left with?

Maybe I am getting too caught up in semantics to see how the “decentralized” OpenID system is truly a good thing or how its really even decentralized in the first place.

Published by Scrivs on February 19, 2007 in Web++ • Did you like it? Subscribe to RSS | Tweet it! | Stumble it! | Google Buzz it! | Submit it to Blogosphere News

Comment with Your Facebook Account

6 people says things!

  1. You are right about the various risks involved using OpenID, or any other decentralized identification system (Identity 2.0). The key to success is simple: bookmarks. Bookmark the secure loginpage, bookmark the logout page. Even more, OpenID providers like MyOpenID.com are already implementing very innovative ways to make phishing scams nearly impossible. Like the cookie-image combo that shows a personal image only on their login page.
    Another danger here is: what if people start scamming off line? The only real measure you can take is CTRL+ALT+DEL and check for keyloggers, and NEVER EVER save your password with a password manager. Also, don’t trust other people to use your account.

    The above mentioned security issues are not the main factors I (will probably) give up on OpenID. Something that bothers me more is in the core of OpenIDs decentralized philosophy. It uses URLs. Of course, it’s not a big deal if we live in a perfect world where servers don’t go down and your hosting is certain to be yours. But we don’t live in such a world. Things CAN go wrong. And when things go wrong, you don’t want to lose your identity.

    By Rick Wong on February 19, 2007 8:32 am

  2. Rick: Yeah I’m not really down for their method of authentication either. How many people actually own their own URL? I know a ton do, but I know a lot more that don’t.

    By Scrivs on February 19, 2007 1:18 pm

  3. I’m feeling lately like it’s not decentralized vs. centralized. I feel like in order to be a destination you must have something that is yours, but it should integrate in with other destinations, which creates a decentralized whole.

    And, I just noticed the related entry drop down on the tags for 9rules Notes…I got a little too excited about it.

    By Justin Kistner on February 19, 2007 5:16 pm

  4. The ultimate power over keeping your ID as a URL is if it’s your website, you can always change the delegation to a new provider and your ID URL stays the same.

    For example you could make a little page at paul.wisdump.com and have that delegate to a real service. I use Verisigns’s PIP to do this from oli.thepcspy.com.

    If my PIP account gets hacked, all I have to do is find a provider I can trust, and change the delegation on my oli.thepcspy.com page.

    But as you just mentioned, that’s not what everybody can do. Not everybody is a blogger. Not everybody owns a site or domain. The URLs given from services such as AOL don’t provide for delegation to a custom URL (yet), so using that as your identity could be risky…

    But only as risky as using the same username and password for everything. I think it’s 1000x more risky creating an account with somebody and giving them your email and a password because I’ve seen how many people reuse their password on everything.

    What do you do if your email gets hacked? What would I do if my site got hacked and somebody changed the delegate info?

    So yeah. There’s no clear answer for any of this. OID is more usable and lets you keep your identity around the web but that the same time it can be hacked and the hacker has all your identities. But at the same time your email could get hacked and you could cost you the same amount of damage.

    By Oli on February 19, 2007 5:19 pm

  5. The “good” thing about registration per website is that people are USED TO it. They know (after a decade+ of common internet usage) that they shouldn’t reuse the password.

    By Rick Wong on February 20, 2007 2:14 pm

  6. Oh, I forgot this incredibly important point:
    OpenID-enabled websites are commanded to respect delegates.

    In other words, even with delegation to a “safe, secure and reliable” OpenID registrar, you need a safe, secure and reliable delegate URL. Or it will break many many wesites.

    By Rick Wong on February 20, 2007 2:17 pm

  7. Subscribe to comments via RSS!

    What do you think?

/* */