OpenID Foundation – Google, IBM, Microsoft, VeriSign and Yahoo

I am very happy to be able to say that Google, IBM, Microsoft, VeriSign and Yahoo are joining the OpenID Foundation (on whose board I sit.) It marks the end of a lot of hard work by all parties involved, as well as — at least for me personally — the hope that we will be able to get a decentralized federated single sign-on technology across the internet.

My experience from co-authoring djabberd, as well as working on systems with large amount of end users, has taught me the value of decentralized federation. Just as I have multiple different jabber ids or email address for different contexts, I also want to have different identities that I can use in different contexts across multiple sites.

From the beginning I was captivated by the promises of this system, and at Six Apart I worked to make sure it was available for widespread adoption. I would like to especially thank David Recordon for convincing me, and others to continue, and his tireless evangelization, which got him a 2007 Google-O’Reilly Open Source Award. It is fitting that he is now back at Six Apart.

I am very grateful to the entire OpenID Community, the rest of the Foundation board and supporting companies who have taken it this far in a little over two and a half years.

Brad Fitzpatrick created OpenID to solve the problem of people commenting between different installations of LiveJournal. Using a URL-based identity for blog commenting made perfect sense, as the identity you are commenting with is your blog. However, the URL-based identity does confuse people, and so at the Social Graph Foo Camp, Brad et al came up with a proposal to map email addresses to OpenID URLs. Perhaps the idea of just using your email address to login will be easier to understand.

Another area where we see innovation enabled is that OpenID does not specify how you authenticate to your OpenID provider. We have seen examples of this innovation including putting OpenID in cellphones, connecting it with the Estonian National ID card, older standards like Kerberos, new desktop authentication technologies, one-time-password tokens, and even new markets being formed around phishing resistant web authentication.

This kind of layered extensibility is why I find the design of OpenID so important, as I’ve written before. It is an enabling technology. The basic implementation allows exploration and I am looking forward to see what people can use it for.

Again, thanks all of you who made it happen.

tags:
  • Computer Consultants Kit

    It’s great to hear that despite all the tense merger/acquisition/anti-trust talk going back and forth between Yahoo, Google, and Microsoft that progress is still being made on OpenID.

    All too often these big-picture management issues can tear apart projects that have been in the works for months, even years.

    Glad to see current events haven ‘t disrupted progress,

    Joshua Feinberg

  • http://blog.supernaturalagency.com Martin Edic

    Could someone in your group spend a few minutes writing a clear, non-technical description of what OpenID is and why anyone should care?
    Two sentences or less and something an average, completely non-techy person can understand…

    This would do more to promote your cause than anything else- there is a huge world out there that doesn’t have a clue about this stuff.

  • http://www.davidrecordon.com David Recordon

    Today I might go for something like: OpenID allows you to use your existing account from sites like AOL, Blogger, LiveJournal, and Yahoo! to login around the web. Unlike using your email address, it doesn’t require you to choose a new password or re-enter all of your personal information just to signup for a new service.

    Martin, I think that is one of the reasons why this announcement is so compelling in my mind. Yahoo! has done a great job with making their OpenID Provider far more understandable to non-techy people than I’ve seen in the past. No, we’re not there yet but having these combined resources should really help to explain OpenID and its value to even more people.

  • http://smoothspan.wordpress.com/ Bob Warfield

    It’s time Amazon brought an OpenID Web Service to their more than 300,000 developers. Where are they on OpenID?

    More on my blog:

    http://smoothspan.wordpress.com/2008/02/07/where-is-amazon-on-openid/

    Best,

    BW

  • http://dotnetjunkies.com/WebLog/paul/archive/2008/02/07/433899.aspx paul

    Thank-you Brad Fitzpatrick for creating OpenID, maybe soon we will know who is who.

  • Spiffing

    OpenId is just a commercial scam to allow companies to track peoples browsing.

  • http://www.groovie.org/ Ben Bangert

    Until OpenID is ready to handle authentication for websites involving financial transactions (anything where you can buy something), it’s still going to have limited uptake.

    There’s tons of websites now that have subscriptions, and other little payments systems, none of them can use OpenID until there’s additional schemes in place to make OpenID trustworthy for anything beyond social networks and blog comments. Now that big players are on board, are they moving to address this issue?

  • http://fountnhead.blogspot.com KennyO

    I don’t get it… didn’t the Liberty Alliance (projectliberty.org) try this a bunch of years ago? The organization still seems to be operating with quite a following of large backers.

  • gregory

    i expect the government to soon join the open id game, they will add real id, and that will be the end of what we think of as the open web

  • http://www.treasurelicious.com missburrows

    Once again, our choice to use OpenId exclusively for treasurelicous.com has proved to be a smart one.

    Welcome, Google, Microsoft, Verisign, et al., to the OpenId party. Go ahead and grab a drink, the pizza is in the other room. :)

  • Joe

    The security vulnerabilities in OpenID are staggering. I do not understand why anyone is considering this as an authentication technology.

    Imagine using OpenID and having someone phish your yahoo! account. Imagine your BoA or Amazon or Google (google checkout) account is OpenIDed.

    There is zero chance I will sign up and I recommend everyone else avoid it as well.

  • paulinedoust

    found this so throwing in my 2pence worth dont know exactly who or what it is or where im at @i vaugly remember doing some thing like micro/sft id live chatt [thingy my jigg] found it usefull at applicabel time. [nothing worth stealing from me or mine] went to use it again was ask for logg in data , oh no not again forgotton yes , yet thus adding another tingy to remember along with screen names pass words which e,mail etcetc,
    recived reply to forgotten instructing me to make yet another dozen copyings pasteings wrappings saveings sendings storings genralldoings on pc. no time, in middel of doing somthing else, save to em. thought why bother simpler to re do new logg in. now currently trying to get pixish to function properly seems the kick in the teeth from the world class flickr has inspired the heads at micro to start a thingy of their own and or obtain data /pict/ from flickr via signed up new/beeis from [the site]adding a slightly diff angle of [assingments] rewards/etc well yer if only it would function in the application stage id give it a twirl so far nothing but problems.

  • http://www.oribium.se/ Gote Borg

    The choice of an OpenID provider should probably become similar to the choice of a credit card provider. It should not be a forced decision, but it certainly is more convenient than carrying around cash. It can actually be safer in some cases, especially if you get locked out of an account for example, since your OpenID provider could become your advocate and could take steps to restore your access.

  • http://ideavine.com John Lam

    @Joe, pay attention to the location bar and opportunities for phishing are no more than password logins. Even better, Yahoo and http://IDproxy.net use only HTTPS logins, and let you upload and create a custom picture so you can clearly distinguish your Yahoo login page from a spoof. With one login, all OpenID-capable sites become accessible without worry someone might sniff your password over unsecure WiFi links.

    Most sites offering password logins also let you recover your login by submitting your e-mail address. This is an open vector for sniffing passwords and substitute logins. By comparison, OpenID sites can rely upon multiple identity providers, should you forgot your login at any one. And don’t forget, from the get-go, OpenID requires no additional password to remember!