Expert Texture Home Contact me About Subscribe Digipede Connect on LinkedIn rwandering on Twitter rwandering on FriendFeed

The blogged wandering of Robert W. Anderson

OpenID and the Relying Party Patchwork

Recently I have been thinking and writing about OpenID.  My thoughts have centered around two topics:

  1. Sharing one credential across all of your Internet services is not a good idea.  See How many OpenIDs do I need?
  2. The OpenID vision isn’t ready because there is not yet an ecosystem for Internet services (i.e., Relying Parties) to rate the trust level of an arbitrary Identity Provider.  See OpenID isn’t ready for prime time.

This led to a conversation with Bill Washburn, Executive Director of the OpenID Foundation. He was a pleasure to talk to and receptive to my ideas and concerns.  I left that conversation with an interest in contributing to OpenID through my writing.  I have been pretty pegged lately on other activities, but found the Microsoft HealthVault announcement interesting because it is at the intersection of these two topics. 

What is the announcement?  That Microsoft’s HealthVault will become an OpenID Relying Party later this week. 

Very cool news.  Congratulations to Microsoft for becoming the first big player to be an OpenID Relying Party in a significant way.  Also, congratulations to the OpenID Foundation and Bill Washburn for their role in this.

Now how is this intersection of these two topics?

1. Sharing Credentials

I’ll start by partially answering my first question:

How many OpenIDs do I need?

Partial answer:

I need one for each health information provider; for exclusive use with that provider.

I just don’t want to share these with any other Internet service. 

So the premise that OpenID allows me to share credentials across sites is of no value to me here.  (Note: that said, there are good reasons I might choose other Identity Providers for this application).

2. How do Relying Parties know who to Trust?

There are a growing number of providers out there, new implementations of custom coded OpenID providers, established businesses, startups, etc.

So if you want to become a Relying Party, who do you trust?  Everyone?  No.  The answer is easy.  From Sean Nolan,

The deal is — as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to Windows Live ID, they will be given the option of using OpenID accounts from Verisign or TrustBearer.

You, the Relying Party, choose an explicit list of trusted Providers.  This is a completely rational approach.  Especially if you are responsible for protecting confidential data. 

Before you know it, more and more companies/services will become Relying Parties.  Each service — at least those that protect valuable confidential data — will have to perform a risk analysis to determine which Providers to accept.  Each Relying Party will end up with a different set of accepted Providers — a different set in constant flux.

Earlier I suggested that I could choose how to consolidate my OpenIDs, but the reality may be much different where I have to choose OpenID providers based on the services I use.  This reality seems like a complicated, user-hostile patchwork of Identity.  Kind of like what we had before OpenID.  Only more complicated.

What do I think should be done about it? 

One answer is that the OpenID Foundation fast-track efforts to formalize trust and reputation resources for Relying Parties. Bill Washburn had some other ideas too, and maybe this Microsoft announcement is in support of that effort.

How long will any of this take?  Can’t say, but I will continue to look on with interest and write about OpenID.  Despite my criticism, I am a fan.

Tags: , , , , ,

OpenID isn’t ready for prime time

The other day, I wrote How many OpenIDs do I need?  The premise was that the Identity Community needs to help educate users on the choices surrounding the use of OpenIDs.  Having bought into the hype of OpenID I have since:

  • Read various critiques and articles supporting OpenID.
  • Added OpenID comments to this blog. 
  • Got an i-name, =rwa, to act as my public OpenID.
  • Began tracking OpenID on Twitter.
  • Participated in discussions about OpenID in financial services.
  • Tried to Demand OpenID, only to find my OpenID verification failed : (

All together, I’ve come to a few conclusions.

Users assume OpenID has a trust layer

Track OpenID on Twitter and you’ll see what I mean.  Here is one example:

  • (leighhouse): Bill: OpenID also insures you’re not a machine / spam, creates acess #iCitizen
  • me: @Leighhouse: openid does not prove you are not a robot. Anyone can create a Provider that accepts arbitrary IDs.
  • (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
  • me: @leighhouse: it depends on the Provider. Services need to evaluate trust of Providers (which is already too hard).
  • (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
  • me: @leighhouse: you are asking the wrong question. OpenID is only authentication piece, trust of IPs is a bigger question outside of tech OpenID standards.

OpenID is intended to provide identity, but without trust.  Search around the Internet and you will find an OpenID Identity Provider (OP) that takes this to the extreme: it accepts arbitrary URLs with no authentication at all.  It reports “trusted” to anyone who asks.  Granted, this OP exists to demonstrate a point, a kind of “white hat” OpenID hack, but it leads into my next point.

Relying Parties don’t have any reasonable way of determining trust levels for Providers

Some OpenIDs can be trusted (e.g., Google, Yahoo, myopenid, etc.), others cannot.  I want to be clear that I’m only talking about trusting Google (or some other Big-Co) as an OP.  That means that they manage user authentication in a reasonably secure way.  I am not talking about trust outside of that relationship, or even if it makes sense to trust Google as the center of your identity.

So some can’t be trusted.  In addition to the example OP above, what about the numerous self-hosted OPs that are springing up? 

How is a Relying Party to distinguish between all these different OPs? 

It appears the OpenID authors intended to delegate this issue to a 3rd party (e.g., VeriSign or perhaps a community-based foundation).

Fair enough, but how are services to deal with this issue today?  I don’t think they have a reasonable way to do it, except to maintain their own list of trusted OPs.  But that is a brittle system to say the least.

And more

On top of this, there are many technical issues that are being raised about OpenID.  These range from security issues to privacy issues and much more.  A good round up can be found here: The problem(s) with OpenID.  Some of these issues are at the heart of why users shouldn’t want one ID on the Internet.

OpenID isn’t ready for prime time

OpenID shows a lot of promise and has real value in some current use cases.  Google Friend Connect stands out,  as do any applications that are built on top of services published by OpenID providers (e.g., if you want to build a service that interacts with, OpenID might make sense).

The OpenID hype is getting way ahead of what the technology can deliver.  People are rushing out to get OpenIDs and people are demanding that their services become Relying Parties, but the technology is just not ready for general adoption. 

The leaders in the identity community (the Identity Commons?) need to slow this down and get these issues sorted out, otherwise I think OpenID will end up a big failure.

It just isn’t ready for prime time.

Tags: , , , ,