On OpenID

Filed under: Digital Information — mike @ 9:55 am

OpenID is an exciting new protocol specification relating to online identities and single sign-in authentication. Lately, it has been attracting a lot of attention and support, and I’m planning for it to play a major role in SPUD. Today I read a blog entry discussing OpenID by Tim Bray, and had the following comments:

“The Real Problem:” The OpenID people are working on an “Attribute Exchange” extension. This problem isn’t only applicable to enterprises. For example, there are many sites I have accounts with that only know me by username (or email) and password (I know it’s bad, but like most people, I use the same password for all these “who cares if someone steals my identity” sites). Other sites I may also allow to know my “web address,” telephone number or mailing address. For sites that currently use email to validate my existence, I would greatly prefer that this also be an attribute I can choose to provide them with (or not).

OpenID allows us to have an online identity as a URI, and gives individuals more control over their privacy. You can choose to be mostly anonymous. You can choose who has your email address and other personal information. You can choose who knows what your favorite color is or your mother’s maiden name. These attributes can layer on top of a polymorphic URI which points to different personas.

The extent to which your online identity relates to your real identity is adjustable, without loosing the benefits of having a common identifier. Should you choose to link the two together, you can. For example, by adding an attribute for your public key or client certificate. Decoupling these allows the individual to choose what to do.