02 March 2009

OpenID: a reply to Prok

This article is a copy of a reply to a blogpost on Second Thoughts crucifying OpenID as found here. To read it without this in context will probably be like attacking George W. Bush with only one shoe, so I think, yes, you should read the original post first. As always, constructive positive/negative comments will be welcomed, trolls will be shot out of a cannon containing the contents of my piggy bank. (Look how it jingles.)

1. OpenID is hard to use and misleading in its claims.

I'll be the first to admit that until recently, OpenID was a closed book to me, but they have done a reasonable job in recent weeks of remedying these issues. In fact, if you log right into http://openid.net, the homepage has reconcentrated more on blogged news about the system, as well as the three main issues: What and why OpenID, Where to get OpenIDed and Where it can be used. The main issue is poor design that doesn't draw attention to these three places:

Externally, both Google and Yahoo! have also thrown their weight behind providing OpenIDs linked to people's accounts with them, although their efforts to reduce confusion by renaming them as "Yahoo! IDs" or "Google Accounts" could just as easily worsen matters.

But if nobody cares, and nobody does anything, nothing changes. Or worse.

2. OpenID is decentralized and therefore not the same everywhere.

OpenID is merely an identity and authentication scheme. You'll find that in actual fact, a lot of accounts in many places use a lot of other data besides just your login data and passwords.

Forums need to track your timezone to help you keep a perspective of when other people post and comment in relation to your local time, as well as what posts you haven't read and might want to read. - Your OpenID provider shouldn't need to keep that info that unless it's the same service.
To-do lists need to track your specified chores and how you're doing with them, whether you're early, whether you're late, what you need to do them et al. Your OpenID provider shouldn't need to keep that info unless it's the same service in question.
Blogging services may want to link the comments you've made to date together to allow you a clearer view of how you've said things previously. Your OpenID provider shouldn't blah blah blah ditto.
The only thing they seriously need to keep is enough info to identify you if subpoenaed for legally valid reasons. They should not be handing it to anyone else, and their policies should reflect that. the only thing a OpenID provider should say is "yes/no, the guy who claims to be this OpenID is indeed/not the person he claims to be."

Would you rather open yourself to compromise by setting only one policy and openly sharing your personal data willy nilly after OpenID login, rather than offering only what you believe to be acceptable for public consumption whenever you log in?

I thought not.

3. OpenID accepts other services' log-ons, but would I give my email password to everybody?!

Best practice is already laid down on this matter: if a site gets a OpenID-based request, it should redirect to the OpenID provider you chose, allowing it to handle the authentication on its own side, and handling the matter of confirming your identity with the requesting server on its own.

Obviously, unless the OpenID provider is insane, it should be able to say this according to the schema laid out by OpenID WITHOUT involving your password in any manner, only confirming that your OpenID is being used legitimately.

This kind of makes OpenID provider servers the weakest link in the system, but OpenID also provides repudiation services to reject OpenIDs issued from select places where the server has clearly been compromised beyond the reasonable standards of the a server, and this is not system-wide, only based on the judgement of the administrator of each service relying on OpenIDs.

4. OpenID has a reputation system, with all the awfulness that implies.

Only to the extent that any form of id has a reputation built up around it. As a wag once put it to me - a troll under any userid and auth scheme, is just another guy to wield the banhammer on.

Also: remember what I mentioned about OpenID's ability to stop accepting an OpenID from a provider - it is enforced only on per-administrator level, and never on the entire network of logins and providers on OpenID. that means that if your OpenID gets turned down at the door and errors are not involved, you (or your choice of provider) are just not welcomed by the admins. Whether this is a good or bad thing really depends on circumstances beyond this discussion's bounds...

5. OpenID makes it impossible to make multiple accounts with similar names, or alts.

Far from it - I used three separate OpenIDs to date: one off of Edith Cowan University servers that certifies users as staff and students of the colleges it runs, one off of SLOpenID.net that confirms I am indeed THE blue wooly wildcat with THAT NAME, one off of gov.sg servers that confirms that I am indeed working on governmental issues on an irregular basis... but I only run that last one when I'm really working seriously.
OpenID does not preclude the use of multiple accounts or identities, Prok - in fact, it can just as easily be one way of clarifying the distinction about something said in mere jest, and something said in an official capacity.

Your current woes with your current OpenID provider are specific to provider, rather than the actual schema itself. Do NOT incinerate the entire flock simply because one sheep is black. (Though I understand the end result of doing so is that every sheep is equally black and charred to bits xD)

6. OpenID *is* centralized, in fact, really.

But of COURSE some aspects of it must be centralized, as a standard - the prompting and reply methods for authentication have to remain standard. The server requesting proof that an OpenID is indeed being used properly has to expect a certain reply back from the provider. Computers are dumb and only understand "yes" in the ways "yes" has been defined, and we have to unfortunately live with that limitation in terms of being less-than-ambiguous with computer-based replies.

But OpenID doesn't exactly conjure up nightmares of Python's benevolent dictator for life. far from it.

7. OpenID is impossible to troubleshoot.

There are three main points of failure: the user's browser, the requesting server, and the OpenID provider's server. (We're simplifying things by ignoring failures in network media or routers here, now). If you're getting the same failure to login across multiple sites, your OpenID provider may be experiencing issues. If you're getting it on only one specific or handful of sites, it means that they may most likely have out-of-date handling for OpenID or errors of some other sort... It also doesn't help that some sites seem to rely on browser-side Javascript for the redirects involved in a proper OpenID login request. (I'm looking at you, Google)

My suggestion? Email your OpenID provider first and note to them that your OpenID is not working properly, step with them through the possibilities. The unfortunate fact is that with all these extra moving parts, OpenID is inevitably more prone to disruptions than a system run entirely under one roof by one company - like Microsoft Live ID, anyone?

One thing I could suggest: your membership as a TypePad blogger entitles you to an OpenID as "http://(username).typepad.com" ( being the same username that brings up your personal profile). I would suggest trying to type it in as an OpenID in that form the next time you're logged into TypePad, and seeing if the server you're doing it at redirects to TypePad. If implemented properly, TypePad should prompt you at least once to confirm that you indeed want to confirm your identity, and then redirect back if all goes well.

Not everyone can implement an idea well. But it does not mean the idea itself sucks.

Looking forward to reasonable reply,

Patchouli Woollahra

Trinkets from Zazzle! (A sponsored Link)

Support the insanity, buy a mug! Or a pad. Or something.