The buzz around OpenID is becoming impossible to ignore. If you don’t know why, check out How To Use OpenID, a screencast by Simon Willison. As it’s used now (unless I’m missing something) OpenID seems pretty useless, but with only a little work (unless I’m missing something) it could be very useful indeed.

Problem: TLS · The first problem is that OpenID doesn’t require the use of TLS (what’s behind URIs that begin with https: ). Doing anything remotely connected with authentication over an unencrypted link where you can’t be sure who you’re talking to seems all wrong to me. I see that this subject is under discussion (here and here) in the community.

The fact that apparently-sane people think it might sometimes be OK to not use TLS makes me think there’s something obvious I’m missing. In Simon’s screencast, the pages that you type your OpenID into are unsecured; hmmm.

Problem: What’s It Mean? · Another problem with OpenID is that, well, having one doesn’t mean very much; just that you can verify that some server somewhere says it believes that the person operating the browser owns that ID.

Unless I’m missing something, as a thought experiment I could set up a bogus OpenID server at http://www.tbray.org/silly-id/ , and arrange that when queried about any OpenID whatsoever beginning with that URI, it instantly provided a positive response. For example, http://www.tbray.org/silly-id/BillGates or http://www.tbray.org/sill-id/PopeBenedictXVI . None of that nasty time-consuming authentication stuff; sure would speed up logging into OpenID-supporting sites.

Problem: Phishing · This is going to be a problem, but I don’t think it’s fair to hang it on OpenID, because it’s going to be equally a problem with any browser-based authentication. Since browser-based authentication is What The People Want, we’re just going to have to fight through this with a combination of browser engineering and (more important) educating the general public.

What Could I Use It For Today? · Here’s what I think I’d be willing to do: in the commenting system here at ongoing, I’d be inclined, if I had manually approved a comment with someone who’d authenticated via OpenID, to subsequently accept further comments from that OpenID, unmoderated.

I can’t think of anything else.

Solution: TLS · Just Do It. Create a culture where traffic is simply expected to be encrypted and secure for each step in the authentication chain. If there’s anything in the protocol that makes this hard, fix it. Yes, anyone offering authentication services will have to own and manage a cert. That is the entry-level price for me taking you seriously.

Solution: Meaning Something · I haven’t actually heard anyone argue that all OpenIDs should be considered equal to all others, which is good, because that would be a profoundly silly idea.

For some given application, I might be willing to support LiveJournal OpenIDs but not those from MyOpenID; or vice versa. There might be an opportunity for some sort of independent-security-audit business, rating quality of OpenID providers. Bruce Schneier, where are you?

Once again, maybe I’m missing something, but it seems obvious that if OpenID is ever going to be much use for real work in applications that matters, there are going to be whitelists of ID Providers. Does anyone see this as a problem? If not, all the libraries out there Ruby and Python and PHP and so on need to have the provider-whitelist feature built in.

The Real Problem · Of course, out there in the enterprise space where most of Sun’s customers live, they think about identity problems at an entirely different level. Single-sign-on seems like a little and not terribly interesting piece of the problem. They lose sleep at night over “Attribute Exchange”; once you have an identity, who is allowed to hold what pieces of information about you, and what are the right protocols by which they may be requested, authorized, and delivered? The technology is tough, but the policy issues are mind-boggling.

So at the moment I suspect that OpenID isn’t that interesting to those people. But Web-heads like me care about Plain Old Single Sign-on, and we like identifying ourselves by URI. So OpenID might scratch a pretty big itch.

Unless I’m missing something. The reason I keep saying that is that I really am an Identity newbie. I’m sure my commenters will be diligent in pointing out where I’ve gone off the rails.