Update: OpenID Gets Update: Is It Safe?
Update: Following the initial post of this blog entry, Janrain representatives contacted me with some factual corrections. I have updated the article with these corrections, and extend my apologies to Janrain for the errors.
The OpenID community released OpenID 2.0 last week, and Monday JanRain, one of the primary commercial sponsors for the protocol, announced their support for new spec, and I had a chance to speak to company founder Larry Drebes about the news.
I know, it doesn't seem like earth-shattering stuff. Online identity management specs get updated, news at 11? But as I was talking with Drebes, a couple of things stuck me: is JanRain too ambitious, and will that ambition get them into trouble down the line?
First, the news: OpenID is a single sign-on identity standard that lets users carry a single ID around to multiple (participating) sites. So, for instance, if LT recognized OpenID in its registration system, you could enter all of your personal info here, once.
Then, say, if you wanted to sign up for another site that used OpenID, you could use the same ID and password on the new site, and all of your info would be entered automatically. No more tedious typing of address, phone numbers, likes, dislikes, etc.
At this point, I am relatively sure the privacy advocates among you are rearing up in your seats, ready to blister the comment area with your thoughts on why this is not such a good idea, to put it mildly. Hold on as sec, I'll get to that.
The thing that makes OpenID different, at least to me, is that it does use an open standard--JanRain may have supplied 90% of the utilities and libraries used by OpenID developers, but they are not the only company that uses the protocol to create different applications for online identity management (there are currently four core OpenID vendors). The libraries that JanRain builds for OpenID are open source, too. According to Drebes, they were initially under the GPL, though lately they've been shifted to Apache, mostly because Apple's Leopard OS X requires it.
During my chat with Drebes, he said something that stuck me as odd: JanRain is still hoping to make OpenID a "mainstream protocol." He then innumerated 8,000 web sites that use OpenID, including "Google Blogger, AOL, VeriSign, France Telecom and Sun Microsystems." 8,000 web sites doesn't sound like a lot, it's true, but when you read which sites they are, that's a lot of users. 160 million, according to Drebes. Hello? That's not mainstream?
Drebes is looking down the road, I guess: he estimated that if all of the currently negotiating deals are put into place, that user number will grow to over 1 billion. I suppose that's what mainstream is.
As he was talking to me about all of this, and how OpenID works, my immediate concern was who gets to see all of this information? OpenID is decentralized--there's no hidden mountain repository of personal info for someone to crack into. But there seems to be the very real danger of less passwords to steal to grab my online identity. Right now, every commerce and social site I visit gets a different password, and often a different user name. If I used OpenID that number of IDs to steal would presumably be lower.
According to Drebes, new authentication features have been added to OpenID 2.0 that will reduce phishing and other password-grabbing techniques. I kind of have to wonder about this... a security feature is only as smart as the person using it.
OpenID 2.0 also has a new "directed identity" feature, that lets you have one identity on a web site, and another persona one another web site. There's new plug-in and extension capabilities, too, to allow providers to add new types of information that OpenID can track (their example: frequent flyer numbers).
On the surface, all of this seems like a pretty good idea. There are lots of nifty applications for this sort of thing, both for Internet user and enterprise IT managers looking to unify their ID-space.
If the protocol stays secure, that is. Being open certainly helps, since any vulnerabilities will get closed that much faster. But I don't think I'll personally be signing up for OpenID any time soon, mostly because I don't sign into that many sites. For those of you who sign up for lots of blogs and other social sites, it might be an option to explore.
When relying parties (the sites offering to login with OpenID) will get spamed day and night, then you know it's mainstream. That will be also the time somebody (me) will point to the OpenID mailing list archive of last year and point out the postings made (also by me), that this is going to be the same thing as with SMTP because the designers of OpenID couldn't care less. With the noble difference that SMTP was designed in the 80's of the previous century whereas OpenID was developed last and this year (catastrophe built-in).
Oh yes, there will be white lists, lots work around stuff and the like...you know it from todays SMTP.
JanRain invented OpenID? Last I heard, it was invented by Brad Fitzpatrick of LiveJournal (who does not appear to be part of JanRain; at least, he isn't mentioned on their corporate info page). Am I being unreasonable to expect journalists to get facts right?
The next target for OpenID should be OpenSocial. If you could get OpenID integrated into the OpenSocial API standards it would enable the very rapid widespread adoption of OpenID by end users - many of whom are members of multiple 'social networking' sites.
-jason
Guys, this is simply shoddy reporting. JanRain didn't invent OpenID, and they did not release OpenID 2.0 either (they released software that implements OpenID 2.0, no different than many other vendors). Also, 260 million users is a number that is strongly inflated because 99.9% of those users don't have any idea they have an OpenID. Even if you add up the top-line number, you still don't get 260 million. And nobody can verify their site numbers -- openiddirectory.com lists a lot less.
I took a look at OpenID 2.0 a couple of months ago and it scared the hell out of me. Rather than just accepting URLs as identifiers, it also accepts XRI IDs (i-names and i-numbers). Those things aren't even on the "web" - they belong to a different, bigger web. Whether the motivation behind XRI is about power (who controls the Web), or about greed (imagine you had a whole new DNS namespace that you could sell) I can't see anything positive coming from it. IMO this is a really insidious technology that could easily go mainstream on the coat-tails of OpenID. What's most worrying is that it's coming in completely under the radar. Caveat emptor!
Solving a problem I don't have. I don't *need* some offsite thingummy to remember my information for me, out "in the cloud" in somebody, or various somebodies' if it's decentralized, possession. I don't *need* a single sign-on either. My browser takes care of that stuff. I rarely have to remember a password any more. And the information stays on my computer, thanks.