OpenID on the Upswing

Wed

Dec 20
2006

listen

OpenID is a lightweight, decentralized identity system that has been gaining prominence. I expect this upcoming year to be a big year for OpenID -- and not just because of the Google trend chart with the recent uptake in search query share.

OpenID is an identity system that allows you to have one username and one password for multiple sites. Your username is an URL. The password is whatever you choose (and like all paswords you should keep it secret). There are several different configurations that you can use to have an OpenID

You can use an OpenID service provider and use the provided URL on their domain (e.g. yourname.vox.com)

You can run your own OpenID server on your own server with your own domain (e.g. yourname.com)

You can use a hosted OpenID service with your own domain (e.g. yourname.com). Learn how for your site or blog.)

Lately there have been a plethora of OpenID services launching. All users of SixApart's Vox and LiveJournal users automatically have OpenIDs. If you want to use a hosted service JanRain's MyOpenID just launched with an affiliate service (for companies that want to support OpenID, but don't want to maintain their own server). They also launched with a free CAPTCHA webservice called BotBouncer aimed at servicing OpenID-enabled sites. You can find other hosted services as well as your identity servers on the OpenID Wiki

I know it sounds interesting, but what good is it to you now? OpenID is currently accepted by around 500 sites including Vox, LiveJournal, and Zooomr. Sxip is now supporting OpenID in their identity applications. Expect more Open Source applications to begin including it in an attempt to claim the I Want My OpenID Bounty.Yahooligan Simon Willison, co-creator of the Python web application framework Django, has been tagging all of the sites that accept OpenID with the tag OpenIDConsumer.

Identity is one of the last pieces of the Web 2.0 puzzle to become decentralized and fully owned by the user. Up till now we've had to rely on sites to control our identity; now with personal sites (mostly blogs) becoming common there is finally a mechanism for us to take our identities into our own hands.

Kaliya Hamlin, Identity Woman, will be doing a session on User-centric Identity Systems (including OpenID) at the Web 2.0 Expo this April.

tags: | comments: 27 | Sphere It
submit:

Previous | Next

0 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/5119

Comments: 27

Tony [12.21.06 01:11 AM]

Note to the editor: Zooomr is spelled with three Os, not two. The current URL points to a link-farm.

Thanks for an awesome and informational post on OpenID!

Paul Annesley [12.21.06 01:19 AM]

Another note to the editor: the first link to openid.com also points to a link farm.

You'd be wanting openid.net

Andrea Beggi [12.21.06 01:49 AM]

The correct link should be: http://openid.net/

falcon [12.21.06 07:19 AM]

I just started reading up on open id. Does it make sense to have non-technical users sign up for open id? Will users understand that their username will now look very similar to a URL or their email address?

Henrik [12.21.06 08:54 AM]

All it comes down to is wether the average user finds it valuable. I'm not too sure they actually do. A key thing is that registration on a site supporting OpenID must be just as simple as on one without.

Brady Forrest [12.21.06 10:49 AM]

Why not simply use the same username/password for all sites? This makes even more sense using a username/password hashing page then ensures a unique, obscure p/w for every site you login to.

Really, I don't believe online identity is the same as unified login. The harder question is: how do you know I am who I claim to be? To make my point, I signed this comment using your name.

Kevin Turner [12.21.06 12:02 PM]

You're right, that is a harder question. However, answering that question is also *completely unnecessary* for most of the communities we build on-line.

Larry Seltzer [12.21.06 12:52 PM]

Brady: If you use one username/password combination and it's compromised you're going to have a hard time changing them all. With OpenID you can change it at one point. Plus you can get feedback on the ID's use to see if others are using it.

Sid Steward [12.21.06 02:03 PM]

Kevin- You're right, but I believe it will become more important. Solve the online ID problem and you'll solve the spam problem.

Larry- It was I who wrote that 'one username/password' post, using Brady's name to make my point. Sorry for any confusion.

Richard Kastelein [12.22.06 12:58 AM]

3PD developers from the Linuxworld Award Winning Joomla are working on a solution for OpenID as well.

Peter Cranstone [12.22.06 09:01 AM]

Open ID is a good idea. It's trying to solve the "Who" problem. As in, Who am I and can we make logging into a web page(s) easier. It's part of what I call the trifecta problem, or the "Who, What, Where" problem. Who is essentially "Me". My name, address, phone number, preferences. The What is the terminal and device capabilities of connecting device. This would be the screen resolution, the size of the screen, the bandwidth connection, the available memory (very important on a mobile device). The Where is my location in real time. This can be Area code, Zip code, or preferably my GPS location.

Open ID only solves one problem, leaving the customer wanting more. It's the trifecta that makes the experience more consistent for the customer.

Customers don't buy technology, they buy solutions to their problems. The more complete the solution the happy the customers.

Cheers,

Peter

Dmitry Shechtman [12.23.06 03:34 AM]

I believe BotBouncer is bad for OpenID. I detailed my concerns in this blog entry.

Jesper J [01.02.07 11:57 PM]

One problem I don't see anyone discussing is that of accountability. If my private data is compromised at a Relying Party (OpenID consumer), who is responsible? An unreliable OpenID provider can compromise the data at a Relying Party, but since it's the user that picks the OpenID provider, it seems the Relying Party cannot be held responsible for the compromise. This leads to two questions:

1) How does a user know if an OpenID provider is reliable?

2) How does a Relying Party know how reliable an OpenID provider is?

It seems to me that serious Relying Parties (banks, telephone companies, etc.) will have to limit support to a few certified OpenID providers. This will lead to bi-lateral, proprietary agreements between OpenID providers and Relying Parties. E.g. Bank Of America may decide to trust Yahoo but not shadyOpenID.ru. Most likely, BofA-like companies will become OpenID providers themselves.

Users will also look for trusted brands when they pick an OpenID provider, so they will also gravitate to the few trusted entities with whom they have an existing relationship such as their bank, telco, ISV or portal (like Yahoo).

This is not to say OpenID is bad. It still provides more choice, openness and consistency that what we have today. But it's naive to think that we the users will be completely decoupled from corporations and finally own our identity.

Jesper

Sid Steward [01.03.07 09:17 AM]

Jesper-

One idea I've had to address the accountability issue is to create a web services provider that is organized as a cooperative. That way the organization is 100% aligned with its users.

Sid

Tahir [01.04.07 05:46 AM]

Note to editor: 'Yahooligan' refers to a little kid who uses Yahoo! services for kids and not somebody who works at Yahoo! The latter is known simply as a 'Yahoo' (without the exclamation mark).

Salman FF [01.04.07 10:16 AM]

On Identity becoming more decentralized: great point! But I am not sure it is one of the LAST pieces of the Web 2.0 puzzle which could be decentralized... For example, as per my name url, I wonder if there can be an underlying open (and may be open source) infrastructure that dis-integrates (ie disaggregates) web-based advertising... a decentralized Identity would certainly be one important element of that infrastructure.

radha [01.10.07 01:48 AM]

Mphasis Technologies

Brighthouse [03.05.07 09:49 AM]

I realy want use OpenID service provider. Saved info. Thanks

Guy Barsheshet [03.15.07 05:42 AM]

It's not about replacing username and pass.
What happens when OpenID becomes a fact and users enjoy a smooth continuance flow between sites and services?

1. new user centric services/meshups.
2. enhance OpenId protocol supporting data exchange.

what else? ..

Adriel Bernier [06.22.07 01:52 AM]

Comedian Russell Brand accepts damages over claims a girl was drugged and raped during a party...

Katalog Stron [10.04.07 03:06 AM]

You're right, that is a harder question. However, answering that question is also *completely unnecessary* for most of the communities we build on-line.

chat [10.08.07 09:46 PM]

You're right, that is a harder question. However, answering that question is also *completely unnecessary* for most of the communities we build on-line.

Stuart [11.12.07 11:28 PM]

Please note the first link for OpenID points to openid.org, which has been somewhat.. blacklisted I suppose for want of a better word, by the OpenID community for the owner's shonky practices regarding the domain.

You would be wanting to point to openid.net instead.

Halve [11.14.07 10:31 AM]

I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

Asia [04.12.08 09:00 AM]

Super article. Thanks

Części Mazda [04.24.08 07:28 AM]

Really good article . Big thanks man :)

zegarek [06.28.08 12:34 PM]

Verry helpful article for me..
Best regards !