DeWitt Clinton

OpenID is a protocol that allows for the decentralized sharing of identity information. OpenID rocks and the web will be a better place as more people adopt it and the extensions that will follow.

The technically inclined may want to take a look at the OpenID specifications. The specs are clear and well-written and can be understood by anyone with some familiarity with the issues around decentralized/shared/syndicated identity.

One of the best things about OpenID is that it only tries to address one part of a very complicated issue. OpenID doesn’t deal with trust relationships or signatures or whatnot. All OpenID tries to do is to arrange a mechanism whereby a server that knows something about you can vouch for you when you tell someone else who you are.

Sorry, that was a little complicated. Let’s try and explain:

Meet Carol. Carol is the “End User”. Meet Bob. Bob is a blogger. Bob’s blog server is the “Consumer”. Carol reads Bob’s blog and wants to leave a comment. There are two fields on the comment form. One field for the comment itself. Another field is for the “OpenID Identiy URL”. Carol types “carolspage.com” into the Identity URL field. Bob’s server fetches “carolspage.com”. In the HTML of carolspage.com there is a link to an OpenID “Server.” Carol has an account on the OpenID server. Bob’s server then calls up the OpenID server and says “I have someone who says she is Carol and she said you’d vouch for her. I don’t know if she’s telling the truth, though. So why don’t you and I agree on a secret? You can tell Carol our secret. If she comes back to me with the secret then I’ll know you vouch for her.” So the OpenID server tells Bob’s server a secret. Bob’s server sends Carol to the OpenID server. The OpenID server first asks Carol to log in. Then it asks her if she’d like to share her identity with Bob’s server. She says “yup!” and her OpenID server says, “okay great, just tell Bob’s server this secret and we’ll be squared away.” Carol takes the secret back to Bob’s server. At this point Bob’s server knows that Carol has been vouched for by the OpenID server. And the OpenID server knows that it is okay to tell Bob a little bit about Carol. Bob’s server goes ahead and posts the comment under Carol’s name as provided by the OpenID server.

Phew! Sound complicated? It’s not, really. In fact it is quite elegant and simple. The consumer never learns anything more about the end user than it needs to, and the server never needs to learn anything about the consumer, other than that the end user said it was okay to share.

After reading and writing about OpenID several months ago I couldn’t wait to write support for it into a project I’ve been toying with. But that project, like most side-projects, kept getting pushed aside and I never got to that part.

Fortunately the people over at VeriSign just launched their new Personal Identity Provider. You can sign up for free and, among other things, use their OpenID server. The VeriSign implementation looks especially good, particularly in how they allow for multiple public profiles, per-consumer expiration times, and rich audit logs that track how your identity has been used. VeriSign also specializes in security and takes your privacy pretty seriously. (There are other free OpenID servers out there, such as LiveJournal and TypeKey. You may already have an account with one of them.)

I signed up (for free) and I can now use dewitt.pip.verisignlabs.com as my identity URL.

Of course, I don’t particularly want my public identity to be “.versignlabs”. I’d much rather it be a URL that I control and can identify with.

Fortunately the OpenID protocol provides for that as well.

I set up a VirtualHost at “dewitt.unto.net“. Right now that URL returns only a trivial page. But that trivial page contains two very important lines of XHTML:

<link rel="openid.server" href="http://dewitt.pip.verisignlabs.com/server"/> <link rel="openid.delegate" href="http://dewitt.pip.verisignlabs.com/"/>

Those lines tell any OpenID consumer to check with VeriSign’s server whenever I use “dewitt.unto.net” as my identity. Since I control the web page “dewitt.unto.net” I can point to any OpenID server I choose. Right now I’m choosing VeriSign. Tomorrow I could choose a server that I run myself. The identity stays the same over time even when identity servers come and go.

This is already exciting enough, but what gets me positively thrilled is thinking that companies like Amazon, Google, Yahoo, and Microsoft could support it as well. Imagine if you could sign on to your GMail account with your own identity, as verified by Yahoo’s server. Or buy something on Ebay, verified by your Amazon identity, even automatically filling in your preferred shipping address. Or logging in to Windows Live Messenger with your personal identity URL, as vouched for by AOL.

OpenID doesn’t have a notion of “trust” built in. But the protocol is open and extensible enough to allow for sites to authorize credentials from only a select list of OpenID servers. So I could set up the comment system on Unto.net to let you post with your Amazon or Google account but not with an account on some random unknown server. And the best part is that the consumer server never needs to learn anything private about you, especially not your password.

There are likely still some issues to be worked out for such advanced use of OpenID. Establishing an authority for OpenID servers (think VeriSign wants a piece of that?) and a chain-of-trust to prevent man-in-the-middle attacks comes immediately to mind. But the basic theory is solid; decentralized identity will be one of the most important trends over the next several years.

By strange coincidence I brainstormed a very similar protocol in May last year. At the time I didn’t know that OpenID existed. And my ramblings focused on trust. I didn’t see then that the issue of trust is orthogonal to the issue of identity disclosure.

I might be a little late to the OpenID game. That said, it is probably better to be late than to forfeit the match entirely.

This entry was posted on Thursday, May 18th, 2006 by DeWitt Clinton and is filed under work. You can bookmark this post at delicious. You can digg this post. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.