The Case for OpenID 229
An anonymous reader writes "VeriSign and NetMesh are making the case for OpenID, the grass-roots, decentralized digital identity system already supported by LiveJournal, Six Apart, Technorati, VeriSign and many startups, reportedly growing 5% every single week. They say OpenID 'is fundamentally different from other identity technologies' because it is a 'fully decentralized system' and has a 'much lighter cost structure' than any alternative, like Microsoft Passport, CardSpace or Liberty Alliance. Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?" From the article: "If tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation."
No way! (Score:4, Insightful)
Urgh, no way! I do not want all my identities to be tied together through one system. My actions on one site should in no way, shape or form be able to be tied in with what I do on other sites. Compartmentalizing my online life is the best remaining way to remain a modicum of privacy and stave off easy identity theft.
Any website switching to openID exclusively will lose my business. (Of course, if they offer it in addition to a standalone u/p, I'm fine with that, although I do fear that once it gets enough momentum, the standalone u/p will disappear after all.) :/
I've always liked the IDEA of OpenID (Score:4, Insightful)
Anyway I'm sure that'll change in the future, but it'd be nice to have now. Or maybe I'm completely blind and there's a reference server implementation hanging around somewhere?
Can't be too complicated (Score:4, Insightful)
More hyperbolic statistics (Score:3, Insightful)
And WTF does that actually MEAN?
It superifically appears to assert that the number of people using OpenID is growing each week by 5%.
Is this the number of people *actively* using OpenID, or the total number of ALL users ever, e.g. including those by people who've used it once and then walked away?
Is this the totaly number of people across ALL OpenID service providers? this seems unlikely, since someone would have had to have done the work of collating all the stats from all those providers.
If it is then just a sampling of providers, how was the sample chosen? is it representative? or was it opportunistic, e.g. those OpenID service providers who are loudest about OpenID and so could be expected to tend to be those who see the largest growth rate in users?
Also, 5% each week sustained actually means an ever increasing absolute number of users, since it's 5% of an ever larger user base. When your user base is 100 people, 5% is five 5 new people, which isn't hard to sustain on a week in, week out basis. So what is this 5% - which could be completely inaccurate anyway, since we've no idea of the sample it's based - 5% *of*?
Re:OpenID is great in theory (Score:3, Insightful)
If you want, instead, to look for good, legitimate users with regular useage patterns, the only thing you need is the data and a single sign-on distributed across the systems. You make it easy to get a bad reputation, and hard to get a good one, just like real life. Then voting systems can more heavily favour the consistently useful users, etc.
Finding the bad guys is whackamole, and useless
Complexity can be hidden, but there are costs. (Score:3, Insightful)
Most people (aka, 'your mom') won't know that they're using an OpenID at all. Instead, they'll probably just think of it as the ID of whatever service provides the OpenID authentication. So LiveJournal or whatever, but potentially in the future a more mainstream provider like Yahoo. I'd expect that sites which used OpenID and catered to a non-technical audience might even disguise the fact that it's OpenID (instead, "Sign in with your LiveJournal ID here!").
To a user, logging in with an OpenID should be just as seamless as logging in using their Microsoft Passport or Yahoo ID, except that it would work at more sites. There's no reason for the backend infrastructure to be exposed to a casual user. One of the criteria for success of any authentication system ought to be transparency and ease of use. If it doesn't offer that, it's a failed system by virtue of irrelevance.
As I was writing, a thought came to mind. These OpenID/cross-site-ID systems seem like they'd be a huge avenue for phishing attacks. How do you prevent someone from setting up a blog, and putting a Login field on it ("Sign in to comment with your LiveJournal/Bloglines/WhateverID!") and just harvest people's L/Ps as they're entered? Maybe I'm missing something about the system but if all the libraries for authentication and communication with the OpenID user's authenticator (whoever is 'vouching' for the OpenID user, e.g. LiveJournal) are done on the server, then the server has to be trusted with the user's OpenID username and password, or at least it would look like that to the user. It seems like there might have to be quite a bit of interface design and user education to keep people from blindly typing a master password into untrusted forms that would result in their whole identity being taken by a spammer.
Re:No way! (Score:5, Insightful)
As the GP said, you CAN make multiple identities. For example, make a "blog-posting" account, and use it to Authenticate to all the blogs in which you want to post. Use it to login to other "annoyance" login websites.
Then make a seperate one for your bank, your credit cards, etc.
The beauty of this system is that its a superclass of the current model -- it has all the capabilities of the established model, plus some more functionality.
Way! (Score:3, Insightful)
Expecting actual humans to remember a host of usernames and passwords just to be able to participate in online discussions and shop for a book is not acceptable. Why can't techies get it through their heads that user friendliness is an important part of elegant software design? Security people seem to have the hardest time with this concept.
On the flip side, I don't expect my car, my house, my office and my bicycle all to be unlocked with the same key, so the notion that one U/P combo should take care of all internet security needs is silly. But that doesn't mean that I should have to actually type in my key every time I want to use a secure site.
In the middle of the 20th century, there was a revolution in industrial design. People like Raymond Leowy taught the world that manufactured goods can be made much better by putting some thought into the way people use them and look at them. Something similar has to happen to the world of digital tools in a big way. It's not enough to make it look pretty. It has to WORK pretty, too.
Everyone has an experience with software where the design was so good that it was a revelation. Mine was with Logic Audio Platinum, by emagic. I'd been doing digital music for a long time, using Pro Tools, Cubase, etc, mostly on PCs. When I first sat down with LAP on a Mac, I immediately noticed that everything was easier. Less fatigue. Every tool seemed to simply be there when I needed it. If I clicked on something, the thing that happened was what I expected to happen.
If you are a software engineer and you don't think this same concept applies to the area of software security, you aren't doing your job right.
Re:Way! (Score:2, Insightful)
VERY bad analogy - you don't need ANY keys to enter a store, coffee shop, etc. in the real world, but on the Internet you do! In the real world you need keys only for YOUR stuff, on the Internet they won't let you in without one even though the places are "public". (I'm not complaining about THAT, the spammers caused a lot of that so I don't blame the site owners. You'd install ID-checks at your coffee shop door too if 100 people would come in every day in order to try to sell Viagra and other stuff to your guests...)
Re:so it will be OpenID to bind them (Score:2, Insightful)
Re:No way! (Score:3, Insightful)