Interesting security problem that Technorati is trying to solve: how do you prove that a blog belongs to you? (In general, how do you prove that a web page belongs to you?) This is an analog of the standard email validation problem. Only email is a “write-only” media– given the email address of a person you can only write to that address. URLs are generally speaking “read-only” in that you can only view the page contents, although the web also allows more interactive content where in principle the viewer could also submit input.
Technorati has 3 options:
1. OpenID. This is natural, because the protocol was motivated by the need for having authenticated comments across blogs and URLs are used as the identifier instead of email addresses. OpenID is supported by a number of significant players including LiveJournal and AOL, and has recently received a boost after MSFT announced a way to leverage CardSpace for stronger authentication. Downside: this only works if your blogging service implements the spec as identity provider.
2. Provide username/password. Technorati signs into your blog on your behalf. Another straightforward proof, only this one requires an awful degree of trust in Technorati: you have to hope they do not publish your credentials on the Internet or use them for posting 100 spam entries. (And you did not use the same password at your bank, did you?) More sophisticated authorization systems would have the notion of “delegation” where Technorati is temporarily granted access without credentials, and may even be restricted to read-only for example. On the web, identity management is very much a V1 concept, with the exception of Windows Live ID.
3. Creating a new post with special link provided by Technorati. This is email validation in reverse: instead of sending users an email containing a link with embedded identifier, URL validation requires the “prover” to put some content with unique ID on their page, the content being chosen by the “verifier.”
And that is the purpose this article serves.