Identity and OpenID
May 30th, 2007
In a thread on TheServerSide, commentors are discussing how much trust you can put into an OpenID identity. Even the OpenID literature speaks of a server that returns true to all queries. The argument seems to be that since you don’t control the OpenID server, you can’t trust the identity returned, making it useless.
In the grand scheme of things, does your average app ever truly identify the user? About the best we do is identify an email address that can be used to reach the user today. There is virtually no positive identification going on. On the internet, your identity is simple who you claim to be.
Unless you’re a bank or someone with an out-of-band real-world tie to your customer, really, what are your use-cases for “identity?”
For things I’ve worked with, they seem to be primarily the following
- Keeping “my” stuff separate from “your” stuff. Identity isn’t overly important here. Knowing who “you” are isn’t as important as knowing that “you” simply are different than “me” and “you” should keep the heck away from my things.
- Being able to contact users who don’t necessarily visit the site or use the app often. This normally means a verified email address. Once again, identity isn’t as important as simply being able to contact the owner of some bundle of stuff, whoever he may be.
From my point of view, OpenID satisfies the first case easily enough, assuming the OpenID server is implemented honestly. And if it isn’t, then that’s ultimately the user’s problem for selecting a crappy identity provider.
OpenID does have a conduit for delivering a user’s email address, using the Simple Registration extension. I would not trust that address, so OpenID does not solve my 2nd use-case. But then again, neither does simply collecting an email address at sign-up on my own site. People change jobs, ISPs, universities and spouses. An email address isn’t a permanent definite thing. Even if I collect email addresses, I need to periodically verify they are still valid, and have a strategy for dealing with those that aren’t. If out-of-band communication is even honestly necessary.
Taking this view of email addresses, it would appear they make poor identities for users, since they could so easily be stripped of it. I like the LinkedIn method of managing user accounts and email addresses, though. I can associate multiple email addresses for my account. And I can login with any of them. I can remove them. My account does not have to be tied to a single non-changing email address.
Given all of this, I think OpenID helps with use-case #1, and no centralized standard will help with use-case #2.
June 1st, 2007 at 2:44 am
Bob,
Good points. On #2, check out http://www.freeyourid.com/
The integration of a .name domain with OpenID allows you to create a digital identity where your OpenID and your digital identity (email, url) are closely intertwined.
Eugene
June 1st, 2007 at 2:10 pm
If you separate identity, identification and authentication, OpenID does an OK job to be the ‘identity’ or just a ‘URL for you’ part.
You might want to have a look at http://martin.paljak.pri.ee/2007/06/01/understanding-openid-who-assigns-who/ on my quest to explain if and how websites should deal with OpenID and stuff like eID.
For a huuuge bunch of sites, just as you explained with #1, you don’t have to assume any kind of trust for the provider or semantics for the identity. It’s just ‘are you the same X as you claimed to be once’
Take editing a blog comment after you have posted the comment – you don’t really have to register or provide or check anything – except can the commenter present the same claim (OpenID) as when posting the comment.
I believe there’s a difference between ‘what you can do on the internet and who you claim to be’ (whatever you claim, e-mail centric approach. Having the capability to have different identities serves some reason) vs ‘what internet can do for you’ (user, real human centric approach where it benefits the user if you can combine your online presence)
OpenID can help with both as it provides a possibly user centric address space (if you know the semantics)