OpenID Grows as Questions Linger

Carl Weinschenk

One key to the continuing expansion of the commercial Internet is simplification. As peoples' lives move online, they accumulate too many passwords and user names to remember. In that context, the announcement last week that Yahoo is supporting OpenID 2.0 -- a standard that enables a single log-in for multiple sites -- is significant.


It also is significant that questions linger about OpenID's security. This CSO Online post quotes Michael Barrett, PayPal's CISO and former president of the Liberty Alliance as saying OpenID security is akin to giving scissors to a child and telling him to run around a playground.


The point of the post, however, is that despite such misgivings -- subtly stated as they are -- Google, AOL and other companies in addition to Yahoo support technology. Like it or not, it must be taken seriously. Tech Crunch also reported on companies that have committed or are talking to the OpenID Foundation, including Digg, Technorati, Microsoft, Plaxo and WikiPedia.


OpenID is a user-centric identity model consisting of a user, an identity provider (IdP) and a relaying party (RP). A good explanation is offered at InfoWorld. The user makes a request of the RP, which asks for an identity credential. The user tells the credential-issuing party -- the IdP -- to send a secure and "trustworthy" message to the RP that says, in essence, that it is OK to comply with the request. The writer suggests that simplicity is both OpenID's chief strength and weakness. That may be a more diplomatic way of telling the user to be forewarned than comparisons to kids running across playgrounds carrying scissors. Web Workers Daily provides context to the status of OpenID, which appears to be mixed to slightly negative. On the positive side, the list of companies and sites that are OpenID identity providers is growing. However, the list of sites that accepts credentials created at these sites is small. Security and privacy issues also remain. There are links to posts explaining the situation. The bottom line is that some implementations may be more secure than others. The writer points out, however, that the typical user will not have the knowledge or desire to seek out the safer options.


The list of providers will grow simply because companies won't want other companies, especially competitors, to handle their security. Johannes Ernst blogs that the number of parties accepting the credentials also will grow. The dominant company in a particular sector will push to have its competitors sign on. As the Web Workers Daily post suggests, increasing the number of companies that accept OpenID credentials from end users will be the acid test for the future of the scheme.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.