Allow site owners to mark some rel="me" links as being unsuitable for contacting them
Closed this issue · 2 comments
I imagine that this might be best done via additional microformat metadata, something along the lines of:
<link rel="me non-authoritative" href="https://twitter.com/example" />
Indieauth (and ideally other authentication) providers would not consider such links to be valid targets for identity verification, but other metadata parsers would still consider that the resulting URL represents "me" (the person).
The following use-cases illustrate why this is important:
- A user who delegates their third-party account to a less-trusted party (e.g. Twitter does not support delegated permissions, and so some people share their password with an underling who manages their social media: the Twitter account still represents them, but should not be trusted for authentication).
- A user who does not trust the level of protection provided by the authentication systems of a platform, but who still wishes to identify themselves with it. For example, a user might not personally consider GitHub's authentication strategy to be sufficiently strong to protect their identity for all purposes, but still maintain a GitHub account. In this case, they'd want to be able to use rel="me" links to identify that it was "their" GitHub account, but might not want it to be able to be used to authenticate as them.
This has been discussed a bit more on the IndieWeb wiki: https://indieweb.org/RelMeAuth#Consolidated_identities_do_not_carry_inherent_trust
This is a question for the RelMeAuth spec, which indieauth.com implements. I like the idea, it's just a matter of figuring out the best rel value now.
A variation of this has been implemented on IndieLogin.com now! You can read about it here https://indielogin.com/setup#choosing-auth-providers
I won't be adding any new features to indieauth.com as I am in the process of phasing it out.