wordpress microID plugin

(I was going to post this as a comment to Richard’s post which I found from the microID blog, but then it started to get kinda long so I decided to just write this here).

I’m a little confused by his use of microID in the comments. In addition to adding microIDs to the blog HEAD and posts, Richard’s plugin (which I have installed here) adds a microID to blog comments that is computed using the commenter’s email and webpage. I see two different use cases when it comes to microIDs and blog comments…

Verifying email/URL couplet

Richard quotes something Jeremie says on the microID homepage

Blog comment systems can check the given email address against a MicroID from the entered home page link to help reduce link spamming and blatant spoofing.

So this means a blog could potentially use a microID to verify the authenticity of an email/url claimed by a commenter. That is, when I make a comment on someone’s blog, their comment filtering system would compute a microID using the email and URL I claimed, and would make an out-of-band call back to my blog and compare the microID that I have on my site there. If it matches, then the email and URL are “valid” so to speak, and we’re done. If it doesn’t match, then the email addresses used to compute each ID are obviously different.

However, I do disagree with Jeremie’s claim that this could help reduce blatant spoofing (Jeremie even mentions this himself in an FAQ). Nothing prevents me from entering someone else’s email address and URL into a comment box. When they compare microIDs, of course they will match. This simply verifies a valid email/url couplet, but does not verify that the person making the comment actually owns either of those items. Put simply, microID does not do authentication (which the webpage mentions). Use openID for that!

Attributing ownership

The second use case is that of attributing ownership of a given comment to the author of that comment (which I think is what Richard was going after with his plugin). A microID is basically an assertion of ownership with three distinct parts.

  • The authority making the assertion – this is the actual webpage that the content is hosted on. If you have the ability to manipulate the content of a given website, then it is assumed that you have some kind of authority over that security domain (or at least a small portion of it). This authority is the URL used to compute the microID.
  • The person who owns the content – in the microID world, people are identified by email address, and this email address is used to compute the microID.
  • The content for which ownership is being asserted – this is not part of the microID itself, but rather is implied based on the placement of the ID. If I am asserting ownership of an entire website, then the microID should appear within the HEAD tag. If ownership is being asserted for a small portion of content (such as a specific blog comment), then class values are used.

Back to Richard’s plugin, the content is obviously the actual comment itself and the person is the commenter, but where I think his plugin goes astray is the authority. In this case, the authority is not the commenter’s URL, but rather the URL of where this comment is hosted (most likely the URL of the original blog post the comment was made on). This would allow the commenter to make a claim of ownership of that comment on a system such as claimID (although I believe claimID only supports page level claims right now… not sections of content like this. Speaking of which, how would you specify which portion of a webpage you were claiming ownership of? Maybe use an #anchor in the URL? The microID verifier would certainly have to know how to deal with that).

So all that to say, I think the following function:

function add_microid_on_comment($comment = '')
{
    $microid = microid_hash(get_comment_author_email(), get_comment_author_url());
    return "<div class='microid-$microid'>$comment</div>";
}

should instead be changed to

function add_microid_on_comment($comment = '')
{
    $microid = microid_hash(get_comment_author_email(), get_permalink());
    return "<div class='microid-$microid'>$comment</div>";
}

(Wasn’t trying to pick on Richard in this post… actually I really like his plugin and find it very useful. Explaining all this in this fashion actually helped clear it up in my head as well).

Comments and responses

Have you written a response to this? Let me know the URL:

You're absolutely right on a number of points. If the communication identifier - the email - isn't verified, the generated MicroID is just another piece of cruft. Verify the email and things get interesting (granted - maybe more trouble than anyone wants to go to on a comment - but if you can comment with OpenID, you're absolutely right - things got a lot more interesting).

As to the end of your second points, right now the verifier's are very rudimentary. I believe as this matures, verifiers will interpret the DOM and be able to tell exactly what content on a page is "claimed" by a certain MicroID. That gets pretty exciting.

I really keep thinking back to the very logical tie-ins between openID commenting and MicroID...very very powerful stuff!

Great post.

The biggest problem I see with joined openID and microID at this point is the person identifier used -- openID uses a URL while microID uses an email address. I think the most logical thing would be to modify the microID spec to optionally accept a URL as the identity token instead of an email address.

The whole idea of URL as an identifier seems to be unique to openID, but I think it is a very natural one. I would love to see other things use it as well (such as gravatar.com). This quickly becomes very cyclic -- in order to use URL as an identifier, it must be verified. In order to verify ownership of the URL one could either fully implement openID and be done with it, or continue using email address internally and then use microID to verify ownership of the URL.

yes, I'm familiar with some of the other URL-based identity systems. I just referred to OpenID since I'm most familiar with it and (from my limited view) it seems to be garnering the most attention. Perhaps "Yadis-capable" then? :)
What I want to do on my blog, is every few hours take the oldest post and move it to the front of the queue, all automatically. Anyone know if there is a plugin that can do this or a simple way to set up another plugin to do this (use my own feed perhaps)? Thanks.