LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

OpenID 2.0 closing in on acceptance

OpenID 2.0 closing in on acceptance

Posted Nov 1, 2007 23:16 UTC (Thu) by jamesh (subscriber, #1159)
In reply to: OpenID 2.0 closing in on acceptance by jmtapio
Parent article: OpenID 2.0 closing in on acceptance

Your disappointment seems to stem from a misunderstanding of OpenID's purpose.

OpenID fills a similar role to the email-based authentication found on many sites (such as LWN):

  1. Users give an email address when signing up, and have to prove that they own the email address by e.g. clicking a link in an email sent by the site.
  2. Certain operations such as resetting a forgotten password require the user to again prove that they own the email address.

None of this tells the site that they should trust the user -- just that they control the email address. Any further trust will have to come from some other source.

OpenID fills a similar role, except that the user is proving that they own a URL rather than an email address. Given the potential downsides of providing your email address to a 3rd party (spam), users might be more willing to sign up with an OpenID.

As for the issue of sites correlating user information using their OpenID as a primary key, this is no different to sites correlating user information by email address.

It is true that a privacy concious user could provide different email addresses to each sites as a countermeasure, but then they could also use a different OpenID for each site too. And with the directed identity feature of OpenID 2.0, it'd even be possible to automate this.

(Log in to post comments)

OpenID 2.0 closing in on acceptance

Posted Nov 2, 2007 10:18 UTC (Fri) by jmtapio (guest, #23124) [Link]

OpenID fills a similar role to the email-based authentication found on many sites (such as LWN)

I am aware of the niche that OpenID is trying to fill, and it is certainly not a terribly bad solution for that specific problem, certainly it is a better solution than using just email. Though it remains to be seen if some infocard-derivate could become a reasonable competitor for that specific problem.

I was not clear on this but I think the main reason why I am disappointed in OpenID is that I find that it is aiming too low. There are a lot of interesting problems that can be handled with SAML 2.0 and similar stuff, but for which OpenID is inadequate.

So I do prefer OpenID rather than the current situation where every site has completely independent accounts and email verification and captcha's and all. But I would much rather see more widespread use of Liberty and SAML 2.0 protocols and I have a slight fear that people will just settle for just plain OpenID instead because it solves a small part of the bigger problem.

On the other hand it should be noted that OpenID and those other protocols are not exclusive and propably it is not very difficult to add support for one of them to a site once the other has been implemented.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds