Will this one be the right ID
OpenID, to quote the web site, is an open, decentralized, free framework for user-centric digital identity.
OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.
By OpenID-enabling a web site it can accept your login credentials from your chosen OpenID Provider (which could even be your own system). The outcome being that if all sites that you use were OpenID enabled you would only ever need to use one set of credential to login to all of them - the Holy Grail of Internet - no more notepad documents or whatever to keep track of all those account names and passwords!
To find out more try this 5 minute informative screencast on Simon Willison’s blog, and Wikipedia.
I’m getting an attack of Déjà Vu whilst writing this [no not the movie which looks fun by the way, or the or the fascinating the web as we remember it site that I tripped over whilst looking up the term]. We been here before. Remember the launch of Microsoft’s Passport, or i-Names, or our first Talking with Talis podcast with Dick Hardt, Founder and CEO of sxip Identity.
These and many other peaks of web excitement over the last few years have tried to address the tricky problem of trying to tell all the sites on the web who you are in a secure, reliable, and trusted way. Testament to this so far intractable problem being the way that so far nobody can even agree a standard scheme for what a password prompt will accept - I have yet to work out a password which will satisfy the criteria for upper/lower alpha/numeric min/max length on all the sites I visit. (And it drives me wild!)
All the initiatives to provide a solution for a single shareable identity, rely upon the fact that some central web presence, that all the other sites will reference, will hold your actual credentials. This is not necessarily a single central source, OpenID and others envisage that you could choose from many.
From my point of view this is the problem for all of them. Passport failed to take off because of this - ‘Let Microsoft become the arbiter of all Internet identity - Yeah right!!” Others have tried to avoid this by distributing the ability to host these identity stores across many organizations, but the fundamental problem still remains - trust. Who is going to trust some third party to hold your identity or to provide validation of an identity for login and or single sign on functionality. A service provider may trust an organization like a bank, but would you want your bank acting as the validater of your ID - what happens when you go overdrawn? An individual may trust an open source community site, but would a service provider?
I wish OpenID, which builds on much that has gone before, well but I have a feeling that even this will not gain critical mass. I wish I did know the answer - I could put my feet up and retire on the proceeds! But brains far bigger than mine still don’t appear to have found this particular silver bullet.
Pessimistically I think there is a possibility that this will not be solved in a globally accepted way for a long long time or until we all get fitted with a personal MAC Address at birth. The present technically unsatisfactory situation is, unfortunately, just good enough to enable the wheels of Internet commerce to keep turning. If we could find a way to make the acceptance of something like OpenID a business critical issue for the likes of Amazon, eBay, and the rest, well things may well be different.
Afterthought
Of course Libraries are universally trusted organizations which are used to handling peoples identity information. Now what if we could some how enable all those borrower/patron records to be used to underpin something like OpenID, that might create a critical mass of data that would provide some momentum. Problem currently is that there is no standardly implemented way to get at that information - same old [library] story - what we need is a Platform!
January 5th, 2007 at 7:40 pm
But you can trust yourself - right? You own a domain name? Use the delegation of OpenID to point your own site/URL to one of the providers if you don’t want to run an OpenID server yourself. The ability to delegate is what gives OpenID its power.
As for everyone trusting libraries - yes - so let’s do it. Have your library (local, school, whatever) set up an OpenID service. If it’s you, help educate your patrons on the pitfalls of trying to use a single password (gah!) on every different site… instead, have them use a single URL…
Terrell
http://claimID.com
January 5th, 2007 at 10:16 pm
I don’t understand the difficulty of this perenniel problem. Why doesn’t public key encryption solve it? The world can know what my public key is, and anyone can challenge me to prove my identity by asking me to encrypt a made-up-on-the-spot passphrase with the corresponding private key.
Seriously, what’s the gap in this very simple scheme that I am missing?
January 6th, 2007 at 4:35 pm
4 words always come to mind in such a discussion. Single Point of Failure.
Single sign on is possible and easy in organisations but not on a global scale where a number of important systems may be ‘unlocked’ with one sign on. I dont want a compromised system (say EBay or indeed Talis Prism) to compromise other e-commerce sites, social sites and any other organisation that may have my details.
Also, much as I hate to say it, I would not trust my library with the data that would be required for such a system. I certainly would be unwilling to give any organisation (but especially poorly funded, council run ones) too much info about myself and my buying/social/work/life habits.
Finally theres the question of ‘need’. I have not used my library for a number of years (despite being slightly book addicted) because I find they dont stock anything I want. As such my information is totally out of date and invalid. Amazon however knows far more about me because I see them as a far more useful service. If a company or organisation no longer needs data about me then not only will *I* not update it, it becomes tricky under the UK data protection act.
January 8th, 2007 at 7:49 am
Some interesting comments from Terrell, Mike, and Matt.
Yes Terrell, you can trust yourself, yes I own a domain name, and from my point of view running an OpenID server would be an ideal situation. – But what percentage of the general population are in our situation, comfortable running anything other than a browser and an email client? Look at the uptake of something simpler like RSS. Despite the massive uptake, RSS is still a mystery to the vast majority of internet users. Running your own OpenID server is something that just won’t scale.
OK delegate to an OpenID provider you will say, but how are you going to convince the general internet user [who in my experience cannot fathom how a web site with a URL that doesn’t start with www can be a web site] that it would be in their interest to use one; get them to remember a login that looks like a web address; and overcome their reticence to trust any service that that wants to capture their details in these scaremongering, about identity theft, days we live in.
On the other hand, if I was the security guy for an online vendor I would take a heck of a lot of convincing to delegate my login security to a vast array of sources which I have no knowledge or control of.
Mike, I’m sure public key encryption has legs in the technical side of this debate, but again can you see this being understood, let alone adopted, by the majority of the community? The process of getting a key, providing it to a site login having already identified myself, and then answering a random question, I suggest would be too much to understand and users will still just use the default login/password they are used to.
Matt raises some of the natural concerns, that I share, about commerce and other sites be willing to delegate their account access security to others.
On the subject of using libraries as a source of user ID services – my reason for suggesting it was the trusted ‘brand’ of the Library as reported by many a survey. Consumers are more likely to believe that the library would not do evil things with their information as compared with other commercial organisations. Similarly, I would of thought a library as a non-commercial organisation would be trusted by site providers.
Unfortunately my pessimism still remains. Although OpenID has much going for it, I can’t see it jumping the chasm in to general adoption. We, now, are not trying to solve a technical problem. It’s all about convincing the masses. For those that are interested I suggest a good read “The Tipping Point by Malcolm Gladwell”
January 14th, 2007 at 5:00 pm
Hm. Is your main point about user adoption, or trust in this style of authentication point-blank?
January 14th, 2007 at 8:54 pm
My point is about end user adoption - don’t understand; don’t know who to trust to manage my ID; no facilities to run my own server; why should I; whats wrong with just logging in?
My point is also about trust by the on-line retailers - how many will trust a system which allows thousands of ID validation sources, including the users themselves.
I’ve got no problems with OpenID as a technical solution but I remain skeptical that it, or any of the currently proposed options to solve this problem, will be able to jump the chasm in to mass adoption.
January 14th, 2007 at 10:52 pm
I don’t think that any of these solutions will be mass-adopted. In fact, I don’t even think that these solutions are even aimed at mass adoption.
From my point of view, they’re (that is, OpenID, SXIP, YADIS, WhoBar) aimed at the pragmatic nerd, and hoping for some small-scale viral takeup. I’m sure that some smart developer will come up with an OpenID backend which also supports Yahoo’s BBAuth and Google’s Account Authentication (and maybe MS’s InfoCard) transparently. If I could start authenticating in apps from multiple vendors with one username/password combo and had control to turn certain apps on and off, etc. I’d do it.
It’s an interesting point about the online retailers though - surely it’s the users who have to trust the authentication system, not the retailer? After all, I decide whether to use my VISA card in a shop or not.
Although again, I suspect that this is something for applications rather than services - that would be where I’d start anyway, somewhere the infrastructure trust requirements are lower (look at LiveJournal’s OpenID usage as a good example, where you can use the system in a limited way without getting a full account - that’s really cool).
January 15th, 2007 at 7:58 am
“I don’t think that any of these solutions will be mass-adopted. …aimed at the pragmatic nerd, and hoping for some small-scale viral takeup.” - With that target, OpenID is the best initiative yet, and from that point of view there is much promise in it. As a technologists, I can’t help sharing your view about the coolness of some of its applications.
If it was aimed at mass adoption, which after all is the direction we are all headed in or there is little point, getting the buy-in of the commercial sites is key. To see how that might happen you have to understand the motivations of the people behind those sites. At the moment they seem to be moving in the direction of making it more difficult [for the average user interacting with a site] with the spread of those often unreadable images of passwords to be retyped to gain entry.
Your use of VISA as an example is a good one. If the on-line retailers had to each implement their own payment solution, the Web would have not penetrated in to everyday life anywhere as much as it has. You are right it is up to the individual user to decide if they use their card, but obtaining that card from a trusted source such as their bank, is an understandable operation with obvious benefits. From the retailers point of view it is also obvious - they delegate the functionality (and much of the risk of fraud) to a small number of trusted service providers in the financial world.
To realise the massive potential in initiatives such as OpenID a parallel ecosystem for identity transfer, to the one provided by VISA and others for financial transfer, will need to be established. Once both suppliers and consumers can delegate the complexity, and the risk of misuse, to trusted third parties broad adoption should naturally follow. - Providing the benefits are obvious.
We have a classic problem looking for a Platform solution here. There are so many shared attributes between the credit card infrastructure [Platform of services that on-line commerce has been built upon] and what we are discussing. If you describe the concerns of the financial side of Internet commerce, trust; fraud; auditing; complexity; ease of interaction; etc. and then replace every occurrence of the words funds or money with identity, you have a good basic analysis of the shared identity problem.
Excellent analogy I’ll be using it in the future, thanks Phil.