The other day, I wrote How many OpenIDs do I need? The premise was that the Identity Community needs to help educate users on the choices surrounding the use of OpenIDs. Having bought into the hype of OpenID I have since:
- Read various critiques and articles supporting OpenID.
- Added OpenID comments to this blog.
- Got an i-name, =rwa, to act as my public OpenID.
- Began tracking OpenID on Twitter.
- Participated in discussions about OpenID in financial services.
- Tried to Demand OpenID, only to find my OpenID verification failed : (
All together, I’ve come to a few conclusions.
Users assume OpenID has a trust layer
Track OpenID on Twitter and you’ll see what I mean. Here is one example:
- (leighhouse): Bill: OpenID also insures you’re not a machine / spam, creates acess #iCitizen
- me: @Leighhouse: openid does not prove you are not a robot. Anyone can create a Provider that accepts arbitrary IDs.
- (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
- me: @leighhouse: it depends on the Provider. Services need to evaluate trust of Providers (which is already too hard).
- (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
- me: @leighhouse: you are asking the wrong question. OpenID is only authentication piece, trust of IPs is a bigger question outside of tech OpenID standards.
OpenID is intended to provide identity, but without trust. Search around the Internet and you will find an OpenID Identity Provider (OP) that takes this to the extreme: it accepts arbitrary URLs with no authentication at all. It reports “trusted” to anyone who asks. Granted, this OP exists to demonstrate a point, a kind of “white hat” OpenID hack, but it leads into my next point.
Relying Parties don’t have any reasonable way of determining trust levels for Providers
Some OpenIDs can be trusted (e.g., Google, Yahoo, myopenid, etc.), others cannot. I want to be clear that I’m only talking about trusting Google (or some other Big-Co) as an OP. That means that they manage user authentication in a reasonably secure way. I am not talking about trust outside of that relationship, or even if it makes sense to trust Google as the center of your identity.
So some can’t be trusted. In addition to the example OP above, what about the numerous self-hosted OPs that are springing up?
How is a Relying Party to distinguish between all these different OPs?
It appears the OpenID authors intended to delegate this issue to a 3rd party (e.g., VeriSign or perhaps a community-based foundation).
Fair enough, but how are services to deal with this issue today? I don’t think they have a reasonable way to do it, except to maintain their own list of trusted OPs. But that is a brittle system to say the least.
And more
On top of this, there are many technical issues that are being raised about OpenID. These range from security issues to privacy issues and much more. A good round up can be found here: The problem(s) with OpenID. Some of these issues are at the heart of why users shouldn’t want one ID on the Internet.
OpenID isn’t ready for prime time
OpenID shows a lot of promise and has real value in some current use cases. Google Friend Connect stands out, as do any applications that are built on top of services published by OpenID providers (e.g., if you want to build a service that interacts with WordPress.com, OpenID might make sense).
The OpenID hype is getting way ahead of what the technology can deliver. People are rushing out to get OpenIDs and people are demanding that their services become Relying Parties, but the technology is just not ready for general adoption.
The leaders in the identity community (the Identity Commons?) need to slow this down and get these issues sorted out, otherwise I think OpenID will end up a big failure.
It just isn’t ready for prime time.