Thursday, January 8, 2009

Has OpenID lost its mojo?

The Ostatic website has an article titled
"OpenID Gets Explained, Maligned, and Dropped" that reports that support for OpenId is levelling out, and that some that have tried it are less than enthusiastic about it. It also points out that the necessity of making sites like openidexplained is a symptom that OpenID isn't as simple to understand and use as one could wish.

I've been studying and used OpenID for about a year now so I think I'm qualified to have some opinions on this issue ;)

First off, I believe OpenID is great, but there are some issues:

  1. Maturity.
    The libraries supporting OpenID are not very mature. Not in the sense that they don't work (the ones I've tried do work as advertised), but in the sense that they don't support all the usecases that are probably necessary for succss. The ones I'm thinking about are:

    • Actual transfer of additional data (age,nickname etc.) from the identity providers. The standard supports this and it is clearly useful, it just isn't supported in practice. When logging in, an ability to chose which local account you wish to associate with the OpenID identifier you use.
    • The ability to let a user identity at a site (an identity consumer) be associated with multiple OpenID identities. This is useful because it allows you to be less dependent on a single OpenID provider for access to services. Again, there is nothing in the standards that prevents this, it's just not implemented yet.

    These issues reflects the simple fact that the web is not yet used to using a separation between identity providers and identity consumers, and there are several details that needs to be fixed before the experience becomes flawless ;) I still believe this can happen, it might even happen with OpenID as a carrier.

  2. Lack of support for namagement of trust relationships. This is imho a much more serious issue. If you run a site, how do you decide which ID providers to trust? Example: If I run a newspaper and I wish that everyone allowed to comment on articles must be above the age og 18. Even if an identity provider provides an age, as the OpenID standard open for, why should I trust that datum? The solution to this problem is not covered by the OpenID standard, and probably can't be since it involves a trust relationship between the identity
    provider and the consumer. Unless a way is found to make it simple to enter into this type of relationships, nobody with a need for trustworthy identities will have a strong incentive to use OpenID; since the trust relationship will be bilateral anyway, there probably won't be many of them and then the benefit from using a standardized protocol won't be that big. I believe that this issue needs to be adressed. There are many ways in which that could be done: Standard
    trust contracts could be produced to simplify the production of bilateral trust agreements. Alternatively a "trust network" could be established, letting some set of authorities authorize identity providers (for instance; a national tax authority could authorize theidentity providers that are allowed to identify people when filing their income statements). It is completely unrealistic to believe that there will ever be a single source of all authority, a tree with
    multiple roots, or possibly a web of trust are more viable models. However, this -needs-to-be-in-place- for a separation of identity provision and consumption to be successfull for sites that put any value on actual identities.

To summarize: I do believe that the basic ideas behind OpenID are great, and OpenID could very well be the best identity protocol available yet. However there is still something unfamiliar about the whole concept of seperating identity provision and consumption not just into different technical servers, but into possibly totally different organizations. The issues related to this needs to be discovered, acknowledged and fixes needs to be made and disseminated,
and unfortunately this will take some time.

No comments: