What is the findmeon node standard ?

findmeon helps people find each other.

findmeon is an Open Standard that creates a decentralized environment to assert and verify the ownership of online identity elements , and aid in aggregating online personalities.

Why ?

We've found that people tend to have, on average, at least 7 online identities ( email accounts, instant messengers, social network memberships , etc ) -- and they often have more.

People are often known by different names on different services , go through hell trying to link different services together , and current Open Standard solutions that try to do that don't address the issue with any level of security or verifiability.

findmeon was originally the verification and authentication framework for RoadSound.com-- developed to ensure fans that verified information came directly from Bands, Labels, Booking Agents, Venues and Promoters. It was also used to map roadsound user accounts to their personalities on other services. findmeon was split out from RoadSound in April 2006 into its own project, and migrated from a proprietary id system to digital keys shortly thereafter.

Synopsis ?

You create a snippet of information that includes the resource, your asserted relation to it, and the current time.

You then cryptographically sign that information with the private portion of an public-key pairing.

Information on your public key (used to verify your signature), as well as links to other online sites are presented in the snippet of information. Everything validates in XHTML1.0 strict.

The public-key component is optional, as you might want to only prove ownership of that resource to certain people or services.

Your identity across different sites is alleged by that list of other resources or a centralized repository

Your identity is publicly verified across all the systems by successfully verifying digital signatures with your unique public key. IE: anyone can claim your have a relationship using many frameworks out there, but findmeon is used to digitally sign the relationship on the existing framework.

Is it a microformat?

While findmeon is similar to a microformat, it does not conform to all of the microformat requisits. Findmeon is XHTML Strict compliant, machine readable and human readable, but it does not need to be visually rendered / human readable. Human readability is supported in manners similar to microformats, but since it is not always rendered, and findmeon is machine-readable text made to be human readable ( microformats tend to be human readable made to be machine readable) , it's not. Future versions might be migrate towards a more human readable format, if need is required.

What about OpenID , XFN | FOAF , MicroID etc?

OpenID is designed for 'login' style identification. XFN/Foaf are designed for relationship metadata and are useful in asserting relationships, not proving them. MicroID is easily spoofable.

findmeon doesn't try to encompass any of the goals those systems have or are capable-- instead it builds upon their efforts offering new services.

findmeon is a way to securely prove a relationship between any two assets -- and is essentially a secure layer of verification to the above already established standards. Using findmeon you can verifiably and securely link an XFN document to an OpenID server. findmeon is designed to allow public or private verifiability according to the user's will- so an XFN 'document' can be securely related to one account, but not another.

if you're familiar with XFN think of findmeon like this: findmeon can let your 'xfn rel="me"' items be anchored to a digital signature. you can then either publish the public key, so that everyone knows for sure that those xfn relations are legit and not spoofed-- or you can not publish the key and have multiple circles/networks of 'xfn rel="me"' documents which are only brought together when someone is provided with a shared public key.

w3.org tried and abandoned a few projects to accomplish ends similar to this: xml signature and digital signature. xml signature was abandoned and does not validate within XHTML stict. xml dsig does not validate within XHTML strict, and is too verbose for practical use.

What do websites need to do to implement findmeon?

Nothing. findmeon is user-driven: that is any user can assert ownership of a resource that they have 'write' or 'send/receive' access to.

website providers do not need to add any new support

UnSpoofable

findmeon can't be (realistically) spoofed, simply because it uses reasonably secure cryptography at its core.

That doesn't mean that findmeon is 100% secure- while the technology can't be spoofed there is plenty of room for human error. If a digital key pairing is compromised (stolen) , then anyone can create valid findmeon nodes.

The difference between findmeon and other linking standards, is that findmeon shifts the burden of error from the technology onto the user. Truth be told, its much easier to hack into a computer or network, or guess someone's password, than it is to break an RSA key pairing-- and that is the flaw of findmeon.

Decentralized?

All you need is OpenSSL to read/write findmeon nodes. findmeon nodes are self-sufficient. findmeon was developed for commercial use on FindMeOn.com, but is freely available and implementable. findmeon nodes created by FindMeOn.com are fully publicly readable/writable/verifiable.

How do I aggregate my online identities and describe relationships using FindMeOn?

findmeon doesn't support this within the framework itself. It's neither needed nor wanted -- other projects do that trivially. you should look into XFN and FOAF

However, you can allege a connection to other resources that contain FindMeOn nodes. Using the 'SeeAlso' node, you can:

  • List several URLs with findmeons on them in
  • List the URL of an openID repository
  • List the URL of a FOAF/XFN document
Note the use of the word 'alleged' -- SeeAlso just alleges a connection. It is up to the user to verify that connection. Given a single public key, any two (or more) findmeon nodes that can be verified using that key are securely proven.

Open Standard?

The findmeon standard is released under the Creative Commons Attribution-No Derivative Works license -- that means anyone can implement / distribute / utilize the standard any way they wish -- without paying any sort of royalty fees. The only limitation is that the standard can not be changed / forked.

Some people think that CC-NoDerivs is not a truly open license for standards, because it does not allow for forking. Many open standards are released under CC-NoDerivs -- either eternally, or until development/implementation has stabalized enough to be released under a freer license.

findmeon will eventually be released under a wider, freer license, allowing for derivs. With the resources available to the project right now, NoDerivs was the sensible option.

Specifications?

Please note that specifications are subject to change.

findmeon

The findmeon specification refers to the findmeon node structure - a standardized method to digitally sign online identities and assets.

Current Specification
0.09 (2006/06/28)
Past Specifications
0.09 (2006/06/28)
  • findmeon node standard