I've been meaning to blog abouts this for some time and a half-finished post has been sitting around my system for months, but Rob Lanphier's post on the OpenID mailing list today finally got me to complete it. He writes:

.. I had a notion that I wanted to throw out there in case it interests anyone... I'll call it "GroupID" as shorthand.

The OpenID concept of allowing someone to simply assert "I own this URL" (and no more) is very powerful. It would be interesting to take that same approach to creating federated group memberships.

...Let's say that I want to grant everyone who has gained Sysop status on MediaWiki sysop status on my own wiki...

The GroupID concept would be that a site supporting OpenID could extend it by publishing a URL as a GroupID url. So, they could publish a URL (e.g. http;//en.wikipedia.org/groupid/sysops ) which they say "we will verify your assertion that your OpenID is a member of the group identified at that URL"...

About a month ago, Adam Nelson had written me personal e-mail asking essentially the same thing. Let me quote from there, too:

As I try to fully grok lightweight ID systems like LID and OpenID and understand the use cases they do and do not support, I'm struggling to reconcile the use of lightweight IDs to represent logical roles or groups as opposed to actual people, and the mechanics by which such IDs could be used...

...Given the task of representing logical roles or groups and membership of other identities therein, how might you accomplish this using LID?

... given a LID identity, how to confirm that the user agent presenting the identity either holds that identity, or is affiliated with the identity in much the same way an OS user account would be affiliated with a role or user group....

First, let's be clear that none of this is OpenID-specific or LID-specific or XRI-specific, or ... in fact, nothing inherently even ties it to digital identity, certainly not of people. For example, there is no technical difference in the following groups:

• The list of people who are system administrators on Wikipedia (Rob's example)
• The list of my friends (a FOAF example)
• The list of websites I visited in the last day (something my browser remembers).
• The list of blog posts that mention Coca Cola (something Technorati et al might track)

It's all about putting URLs into groups, whether they are supposed to identify people or not, and coming up with useful protocols by which those groups of URLs can be easily created, and more importantly, used by others. (I should also say that strictly speaking, it's not even about URLs, but about any form of "digital address", including URNs, IRIs, XRIs, etc. although REST-ful HTTP, as usual, makes things easier than other protocols).

For some of those use cases, having the ability to cryptographically prove certain properties is important, for others it isn't, so what Rob calls "GroupID" is yet another orthogonal component to authentication, just like so many things in the context of digital identity.

For our thoughts on how to solve this, read on ...