A real world example...

A real world example...

I recently set up a site for hosting Citrix employees ('Citrites') blogs at http://citrite.org/blogs/ using WordPress MU. I subsequently set up Drupal at the root: http://citrite.org/ and thanks to (fairly immature) plugins for both Wordpress and Drupal I should be able to have Wordpress users logging in to Drupal (and vice versa) using the URL of their blog (eg http://citrite.org/blogs/samj/) or Drupal user (eg http://citrite.org/user/samj/). They could also use these URLs to authenticate with other sites (eg to post comments at other blogs using their own blog url) and if this were to become a mainstream service I could use friendly urls like 'samj.citrite.org'.

Also, by adding some tags to my (otherwise blank) site at http://samj.net I can now log in to OpenID sites (including citrite.org) as 'samj.net', which I think is pretty cool (especially if I want to have a few different centrally managed IDs for say work and play).

I see a fair bit of room for building on this system, for example by using different authenticators for different sites (eg my IdP could require a simple, low level password to submit a blog comment, a stronger password to administer a blog and perhaps even 2 factor authentication by way of a token or client side certificate to access sensitive data).

I know there are alternatives out there which are far more feature complete (Shibboleh, Liberty, etc.) but if you get OpenID for free out of the box with common open source software like Wordpress and Drupal and it's 'good enough' for what you're doing (eg blog posts and comments) then why bother setting up dedicated infrastructure. There's no reason this can't be secure either - after all it is in many ways like Microsoft's Passport which has been used to secure sensitive content for years (eg Hotmail).

I'd like to see a decent security review of the OpenID protocol(s) as they stand though before I trusted it with anything particularly important.