Recently I have been thinking and writing about OpenID. My thoughts have centered around two topics:
- Sharing one credential across all of your Internet services is not a good idea. See How many OpenIDs do I need?
- The OpenID vision isn’t ready because there is not yet an ecosystem for Internet services (i.e., Relying Parties) to rate the trust level of an arbitrary Identity Provider. See OpenID isn’t ready for prime time.
This led to a conversation with Bill Washburn, Executive Director of the OpenID Foundation. He was a pleasure to talk to and receptive to my ideas and concerns. I left that conversation with an interest in contributing to OpenID through my writing. I have been pretty pegged lately on other activities, but found the Microsoft HealthVault announcement interesting because it is at the intersection of these two topics.
What is the announcement? That Microsoft’s HealthVault will become an OpenID Relying Party later this week.
Very cool news. Congratulations to Microsoft for becoming the first big player to be an OpenID Relying Party in a significant way. Also, congratulations to the OpenID Foundation and Bill Washburn for their role in this.
Now how is this intersection of these two topics?
1. Sharing Credentials
I’ll start by partially answering my first question:
How many OpenIDs do I need?
Partial answer:
I need one for each health information provider; for exclusive use with that provider.
I just don’t want to share these with any other Internet service.
So the premise that OpenID allows me to share credentials across sites is of no value to me here. (Note: that said, there are good reasons I might choose other Identity Providers for this application).
2. How do Relying Parties know who to Trust?
There are a growing number of providers out there, new implementations of custom coded OpenID providers, established businesses, startups, etc.
So if you want to become a Relying Party, who do you trust? Everyone? No. The answer is easy. From Sean Nolan,
The deal is — as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to Windows Live ID, they will be given the option of using OpenID accounts from Verisign or TrustBearer.
You, the Relying Party, choose an explicit list of trusted Providers. This is a completely rational approach. Especially if you are responsible for protecting confidential data.
Before you know it, more and more companies/services will become Relying Parties. Each service — at least those that protect valuable confidential data — will have to perform a risk analysis to determine which Providers to accept. Each Relying Party will end up with a different set of accepted Providers — a different set in constant flux.
Earlier I suggested that I could choose how to consolidate my OpenIDs, but the reality may be much different where I have to choose OpenID providers based on the services I use. This reality seems like a complicated, user-hostile patchwork of Identity. Kind of like what we had before OpenID. Only more complicated.
What do I think should be done about it?
One answer is that the OpenID Foundation fast-track efforts to formalize trust and reputation resources for Relying Parties. Bill Washburn had some other ideas too, and maybe this Microsoft announcement is in support of that effort.
How long will any of this take? Can’t say, but I will continue to look on with interest and write about OpenID. Despite my criticism, I am a fan.