…or the greatest thing since long-lasting nasal spray (to quote the immortal Dave Barry)?
Given the announcements about OpenID providers (the latest notable ones being Yahoo and the Telegraph), it seems ordinary people have a multitude of OpenIDs to choose from, alongside all their regular “non-decentralized, non-user-centric, non-open” (to coin a phrase) identifiers. Put another way, every week I experience a net gain of about 1 new online identifier, and with the recent OpenID announcements I see the trend continuing.
It’s tantalizing that the Telegraph hints (without confirming anything yet as far as I know) that they’ll accept OpenIDs from other sources. But to the extent that OpenID providers don’t do that, or do it only by carefully vetting other partners and setting up special whitelist relationships with them wherever data of non-zero value might be exchanged, the situation will look an awful lot like it does now: circles of trust getting built through contractual negotiations, accounts being federated either one-by-one (when users request it) or in bulk (where users are okay with this sort of back-channel communication), and so on.
OpenID identifiers may be decentralized in that anyone can create and dereference them, but it’s a lot harder to “decentralize” the building of trust relationships; the world has been trying without a lot of success. So we may eventually be able to get to an ATM-network-of-networks scenario, or a roaming-telephony scenario, where all the parties have worked out all the relationships and you can use your “home” identity anywhere — but I foresee having to do it the hard way, the way the financials and the telcos (and, by the way, the InCommon Federation) have done it.
The question is, does OpenID provide other benefits that outweigh traditional (including SAML!) interfaces for making this happen? In the Identity Provider/Relying Party/User adoption triangle for OpenID, IdPs are extremely heavily weighted at the moment. This is no surprise whatsoever; opening up an OpenID interface to an existing set of accounts is relatively easy and exposes you to lots less risk than accepting arbitrary “foreign” claims. The triangle needs to even out if we’re to see network effects, and for that to happen, OpenID may have to become more and more like the thing some say is antithetical to its design center: an enterprise-class framework that caters to many different trust and privacy needs.
(Jeff Hodges has just published draft 06 of his OpenID and SAML Technical Comparison — this link goes to whatever the latest draft is — and it provides food for thought on the two approaches, particularly if you know one well and want to learn more about the other.)
But you never answered the tantalizing question posed by your blog entry’s title! Which is it? Disaster, really bad idea, or the greatest thing since sliced bread?
They’re probably somewhere in between “better than a trip to the dentist” and “greatest thing since sliced bread”, since when they succeed they’re powerful and valuable, but there may be a lot of pain involved. Personally, I have found long-lasting nasal spray to be such a huge boon that it’s hard for anything else to come close. :-)
Seems like it would be really keen if information cards were included in Jeff’s comparison.
Perhaps this is something Concordia might take on?
A three-way comparison that is this in-depth might be unwieldy, but I’ve attempted simpler ones (for example, in those Fed ID Technologies slides I published, and all the “Venn” stuff), and so have others. Maybe JeffH can be persuaded to take on another two-way comparison task for his next paper.
It’s a good idea for Concordia at least to catalogue handy comparison resources like this. There are also some SAML/WS-Fed writeups here and there. Hey Eric, want to start a page on the wiki? :-)
So let’s imagine that OpenID is a big hit and every authenticated website from my online bank to digg.com uses OpenID…
Now all I have to do as a hacker is hack into one place? LOL.
WAKE UP SHEEP.
and the hacker scenario isn’t even the worst of it, I do not want one entity holding my credentials to every authentication site I use – as a matter of fact, I do not want any entity other than the one I’m visiting to hold the credentials for that site.