The Case for OpenID 229
An anonymous reader writes "VeriSign and NetMesh are making the case for OpenID, the grass-roots, decentralized digital identity system already supported by LiveJournal, Six Apart, Technorati, VeriSign and many startups, reportedly growing 5% every single week. They say OpenID 'is fundamentally different from other identity technologies' because it is a 'fully decentralized system' and has a 'much lighter cost structure' than any alternative, like Microsoft Passport, CardSpace or Liberty Alliance. Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?" From the article: "If tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation."
Re:No way! (OK, Setup several IDs) (Score:5, Informative)
There's no need to abandon a place just because they use openID. Why not setup multiple IDs with different user names, passwords, and email addresses? (I assume that's possible under OpenID?).
I agree that a single collection of IDs (all-eggs-one-basket) represents a dangerous single point of failure. But just because someone implements a new potentially better basket doesn't mean you have to put all your eggs in that basket or avoid using sites that use that type of basket.
Re:OpenID is great in theory (Score:2, Informative)
Actually, that's something I see as a feature. Some people have facets of their lives that they don't want tied to and searchable by their "pubilc" OpenID. Having multiple OpenIDs allows one to keep their private and work lives separate, for example.
Now, one person having 100 accounts that they use to troll message boards...that's a problem best solved with a reputation system, and OpenID's creators make it clear on their site that this is not a trust or reputation system. It's also not about having a centralized profile (FOAF addresses this). OpenID is just about having a consistent ID between sites.
Re:Complexity can be hidden, but there are costs. (Score:4, Informative)
I've got a Wordpress blog for which I found an OpenID plugin. I can go to Livejournal and give it my blog address. It then sends me to my site which asks me "Do you want to trust this site with your identity?" You can trust it once, trust it always, or not at all.
Re:so it will be OpenID to bind them (Score:5, Informative)
Or, you know, since it's OpenID and you have complete control over the server, have it set up in such a way that only your IP address can see the password in plain text when you want to log in.
Here's how it works:
You go to a site that uses OpenID. You enter the address of your site to authenticate. You are then redirected to your own website to authenticate (unless you're already logged in.) At this point, the server you set up should ask you if you really want to trust this other site with your identity. You can trust it once and post your new comment, or trust it always if you plan on posting frequently and have that info saved on your server somewhere. Or you can change your mind and not trust it at all.
If you want to implement a password system that nobody can ever figure out, then have it automatically generated and maybe sent to you via email every day in some encrypted format that only you can figure out.
General Reply (Score:4, Informative)
The intent of OpenID (as I read it) is simply to provide an identity. An identity is just a name that at least one person has permission to use, and no more. Multiple people may be able to use the identity. Perhaps some aren't "authorized" (a vague, undefined term in this case), and obtained the credentials by hacking. Maybe one person has a thousand OpenIDs. It really doesn't nail you down, break your anonymity any more than posting with a Slashdot account that has no URL, email, or distinguishing username characteristic, or give the One World Government an ID to tattoo into your arm.
The reason this is useful is that it gives further layering something to talk about. I can't tell my blog system "John Milquetoast Xavier is allowed to post on the front page", because the blog system can't understand "people". It needs "identities". But I can say "this OpenID is allowed to post".
And all the OpenID system will tell me is that some person has authenticated with that ID. I can further restrict their activities; I can still require a CAPTCHA, I can require a paid account, I can do all kinds of things. There's no law that says I have to let everyone with an OpenID have full permissions on my site. (When I say that, it's obvious, but based on the comments clearly some people have this idea in the back of their head.)
I can also go the other way; if your OpenID is from a site that I trust to verify you are a real human for some reason, I might allow OpenIDs from that site more permissions than one from the random internet. If my company sets up an OpenID server that we control and allow only our employees on, I might be able to trust OpenIDs from that server more than random strangers. (Assuming good security for the sake of argument.)
You could set up your own OpenID server to do whatever. I'm sure that if this takes off, there will be OpenID servers that people choose to leave wide open to allow anonymous OpenIDs to be created by anybody. Maybe it'll simply say "Yes, that person exists" to any query with any password, if the API allows it. Using one of those won't tie you to anything.
What you are worried about shouldn't be "identities", you are worried about "identities that can be tied to you". The generic OpenID specification can not provide that, since in the general case the OpenID server could be anything, including a compromised box, and you therefore can not trust it a priori. All it can do is provide a label. Excessive trust in an identity system is the real problem, not an identity system.
I've been creating a weblog for myself lately that includes comment posting, and while I don't think I'm quite ready to jump to OpenID, it's actually exactly what I'm looking for. My spam-control solution will be to moderate every comment posted, but once an identity proves its bona fides, I'll whitelist it. All I want is an identity. I don't really care if I can map it back to a person, I don't care if 10 people are using it, I just want an entity that I can deal with in my database and grant it permissions to above and beyond what an anonymous user gets. OpenID would solve that problem nicely, because I have no intention of farming out to OpenID the question of how much I trust the identity, merely the existence of an identity.
OpenID links from the "5% a week" guy (Score:2, Informative)
I'm shamelessly linking to my own blog here but I think there are a few answers to the questions people are posting on this thread:
* How do I choose a third-party OpenID provider? [kveton.com]
* Converting your existing site to OpenID [kveton.com]
* How do I use my own domain as my OpenID? [openidenabled.com]
* OpenID and Phishing [kveton.com]