What OpenID is (and is not)
Put simply, OpenID lets you prove that you are associated with a URL. More specifically, it is a protocol for letting your website ask the remote URL if some visitor is associated with it.
This neatly points to the issue with putting too much weight on someone just having an OpenID: you have no idea how the remote URL makes that decision. It is perfectly possible to create an OpenID server that always says 'yes, that person is associated with me' when asked, and in fact it's been done.
This means that an OpenID in general is only a weak identity; anyone can have one or many and a given identity may have any number of people using it, much like a website login posted to bugmenot.
(This is ultimately why LiveJournal considers 'people with an OpenID' to be in the same class as entirely anonymous users, because they are. Someone with an OpenID has just gone to slightly more work than the completely anonymous people.)
If you want stronger identity information about people, you need to restrict what sorts of OpenID remote URLs you accept, because then you can know more about the policies those URLs use. The ultimate case of this is using known OpenIDs to identify specific people instead of forcing them to get a new identity on your site.
(As has been noted by Simon Willison, you may still want to ask people to register, but OpenID can save them from having to make up a new account name and password for you.)
Comments on this page:Written on 04 July 2007.