Throwing stones at OpenID

To his credit, Jeremy, in his post entitled 11 Reasons Why OpenID Rocks/Sucks, does identify a few of the good things about OpenID. Thank you. (Although I caution anyone bold enough to make the claim "Bye-Bye comment spam").

However, it would be much more constructive if in criticizing OpenID he would help those shaping the protocol is proposing solutions as well.

1) It is (as yet) too complicated for average website owner to implement.

This I am not sure about. There are enough OpenID client and server libraries and toolkits to make this actually easy to do. Jeremy, can you please help us to understand who the average website owner is, and what from your perspective is difficult? Have you seen Movable Type's OpenID plugin by the way? It is insanely easy to install and get your blog OpenID enabled.

2) The security implications of this type of cross-site authentication haven’t been fully explored.

More explored than you might think. Embedded within every OpenID request/response are the artifacts for an agent to verify the authentication authority.

3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

That is absolutely correct. I also believe that the decoupling of trust and identity is precisely why OpenID is succeeding. It was always the intention of those that created OpenID to keep trust out of the core protocol and to leave the door open for another party to imbue trust upon an identity source. For example, I think Verisign is a perfect 3rd party/authority, whose entire brand is built on trust to provide a service that others can utilize that will allow trust to be more easily conferred upon a user's OpenID credentials.

I for example would love for an independant third party to provide an Akismet like service for OpenID identities. Instead of simply return "trust" or "don't trust," I would want the service to return a trust score between 0 and 5 based upon how trusted that identity is. The heuristics of trust are not germane here, but suffice it to say the trust score would be reliable. How's that for brushing complexity under the rug?

4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?”

Precisely.

5) Hackish implementations. For example, the Wordpress plugin actually creates a local Wordpress user behind the scenes. In my opinion, this is an unacceptable hack.

Why is this a hack? The system needs a handle for the user record simply to maintain database integrity. I know that in Movable Type we do the same thing because every entry requires an author record. That author record maybe completely bare, save an OpenID, but an author record exists nonetheless.

Not a hack at all. Unless, I am missing something.

6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

Correct. This really relates to Jeremy's first point about trust: there is nothing within the specification that requires the means of authentication. Technically, the OpenID server doesn't even need to issue a challenge if it doesn't want to. Furthermore, with so many OpenID implementations out there it is trivial for a spammer to spin up a fake OpenID Server/Authority and use that to post comments.

It is only a matter of time for spammers to crack OpenID and exploit its weaknesses. That is why it is so critical that we as an industry find ways independent of the protocol itself to secure it. OpenID's greatest asset is also its greatest liability: simplicity. But that is the hallmark of any great Internet standard, so OpenID is in good company there. But we shouldn't take it for granted. It is up to someone else to solve the trust problem around OpenID, that is the whole point of OpenID.

Now, who are your candidates to solve that problem?

No Comments

Leave a comment

what will you say?


Close