Re: ORCID - unique identifiers for contributors

Yoav Nir <ynir@checkpoint.com> Mon, 16 September 2013 21:03 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8954011E8270 for <ietf@ietfa.amsl.com>; Mon, 16 Sep 2013 14:03:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.165
X-Spam-Level:
X-Spam-Status: No, score=-10.165 tagged_above=-999 required=5 tests=[AWL=0.434, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LneFXYsosTVt for <ietf@ietfa.amsl.com>; Mon, 16 Sep 2013 14:03:39 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 6F83511E82DD for <ietf@ietf.org>; Mon, 16 Sep 2013 14:02:23 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r8GL27Gd030184; Tue, 17 Sep 2013 00:02:07 +0300
X-CheckPoint: {523771CF-11-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.173]) by IL-EX10.ad.checkpoint.com ([169.254.2.246]) with mapi id 14.02.0347.000; Tue, 17 Sep 2013 00:02:07 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: John Levine <johnl@taugh.com>
Subject: Re: ORCID - unique identifiers for contributors
Thread-Topic: ORCID - unique identifiers for contributors
Thread-Index: AQHOsuqxQ28fLP9rCkajZh5xZKb7LpnImDaAgAAHKoCAAAiBgA==
Date: Mon, 16 Sep 2013 21:02:06 +0000
Message-ID: <C65F64A8-2D7B-47AF-BAAC-DE4DE57586B7@checkpoint.com>
References: <20130916203141.86927.qmail@joyce.lan>
In-Reply-To: <20130916203141.86927.qmail@joyce.lan>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.116]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9771595138FC204B92AB04218577689D@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<ietf@ietf.org>" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2013 21:03:45 -0000

On Sep 16, 2013, at 11:31 PM, John Levine <johnl@taugh.com> wrote:

>> How do I know that the sender of this message actually has the right
>> to claim the ORCID in question (0000-0001-5882-6823)? The web page
>> doesn't present anything (such as a public key) that could be used
>> for authentication.
> 
> I dunno.  How do we know who brian.e.carpenter@gmail.com is?  

What's the difference between ignorance and indifference?

Whoever brian.e.carpenter@gmail.com is, it could be a man, a woman, or a whole think tank responding as one person (like NAT, but for email). Regardless, brian.e.carpenter replies to emails and publishes drafts (which requires replying to an email), and has his name on recent RFCs (which also requires replying to the AUTH48 message).

So whoever is behind the email address, he, she or they are an active IETF participant. Right now, nobody is preventing me from submitting an I-D and listing Brian as co-author, except a mail would be sent to brian.e.carpenter@gmail.com, which he may or may not notice. We can't proceed to RFC without him noticing, because he has to reply to the AUTH48. Would it be possible to spoof all this? Maybe, but that's pretty much all you need to get a DV certificate.

If we use ORCID instead of email, we get less strong authentication. We need to bind not the ORCID to a government-issued identity, but to all other instances of ORCID use, otherwise it doesn't uniquely identify a single entity.