What is OpenID?
If you have ever used a site like Amazon, MySpace, Facebook or eBay you pretty quickly notice that those sites aren't very usable until you create an account. If you are anything like me, you have hundreds of accounts strewn all over the Internet to access your favorite sites. This model has a few problems:
- Who owns your identity?
- Who owns your data?
- How do you authorize what this information can be used for?
- How do you maintain security?
Why should I care?
I care because it lowers the barrier for service adoption. If you know that you don't have to fill out some form to access a web site, you just have to specify your OpenID endpoint it will increase adoption of your service.
You should care because you finally own some of your data and more importantly your identity.
How can I implement OpenID on my site?
Here are some links that might help:
This is really a great first step towards data portability, which is another topic I find interesting that I hope to cover in the coming week.
Posted by: JohnE on Wednesday, February 27, 2008
I can see how this might work with one-time passwords, but not with static user ID's and passwords. What is preventing the "relying party" from recording your user ID and password? What would prevent a site from masquerading as a relying party when in fact it's not one? Any site can say they are associated with Amazon and suggest that you sign on using your Amazon credentials. There needs to be something else in place. Perhaps something like what online banks are doing now... use an icon or a pre-shared phrase to indicate that the site is really trusted. For example, you enter your ID@REALM and press enter. The relying party server then talks to the REALM server and retrieves your trusted icon and/or phrase, and it is displayed along with a field to collect your password. Still not 100% trustworthy, but at least you know the two do have some kind of relationship.