What OpenID is (and is not)

July 4, 2007

Put simply, OpenID lets you prove that you are associated with a URL. More specifically, it is a protocol for letting your website ask the remote URL if some visitor is associated with it.

This neatly points to the issue with putting too much weight on someone just having an OpenID: you have no idea how the remote URL makes that decision. It is perfectly possible to create an OpenID server that always says 'yes, that person is associated with me' when asked, and in fact it's been done.

This means that an OpenID in general is only a weak identity; anyone can have one or many and a given identity may have any number of people using it, much like a website login posted to bugmenot.

(This is ultimately why LiveJournal considers 'people with an OpenID' to be in the same class as entirely anonymous users, because they are. Someone with an OpenID has just gone to slightly more work than the completely anonymous people.)

If you want stronger identity information about people, you need to restrict what sorts of OpenID remote URLs you accept, because then you can know more about the policies those URLs use. The ultimate case of this is using known OpenIDs to identify specific people instead of forcing them to get a new identity on your site.

(As has been noted by Simon Willison, you may still want to ask people to register, but OpenID can save them from having to make up a new account name and password for you.)


Comments on this page:

By nothings at 2007-07-05 00:57:46:

This is ultimately why LiveJournal considers 'people with an OpenID' to be in the same class as entirely anonymous users, because they are.

Except that openid users are also in the same class of people as users who have registered with an email address and verified that address (as your example of bugmenot suggests).

And since that's the threshhold for most systems with accounts, the only difference in practice is the effort of creating an account. Since OpenID aims to simplify that process too, what are we left with?

By cks at 2007-07-05 23:27:58:

What we're left with turned into a sufficiently long thing that I made it into an entry, OpenIDUses.

By nothings at 2007-07-06 03:53:11:

Well, my point was the opposite (I think): if you're going to relegate people posting LJ comments with OpenIDs to 'the same as anonymous users', you have a problem because people with OpenIDs but not accounts are not substantially far off from people with accounts made with OpenID. So do you start treating accounts created with OpenID as second-class? If not, why treat posts from accounts made with OpenID different from users posting directly with OpenID and no accounts?

By cks at 2007-07-06 09:26:37:

My answer would be that people who have actually made accounts have gone through your own account creation screening process, whereas people who just have OpenIDs haven't. I don't know what LiveJournal's current process is, but at some times in the past you had to be invited by an existing LJ user, and I wouldn't be surprised if they also did various things behind the scenes to look for suspicious patterns.

(The other view of this is that someone who has an LJ account has at least gone to more work than someone with just an OpenID and thus has more to lose if they misbehave; at a minimum, they're throwing away that work.)

By nothings at 2007-07-10 01:10:39:

Right, but that brings us back to what I said in my original post--the whole thing, but summing up:

Since OpenID aims to simplify [the account creation] process too, what are we left with?

By cks at 2007-07-19 18:48:18:

While OpenID simplifies the account creation process, it does it in ways that I think don't substantially reduce the protections that you get from your screening process.

The one thing that some approaches of using OpenID get would be bad people is an immediately usable new account, where before they might have had to wait for the password to get emailed to whatever dropbox they picked. But if this is a concern you can still ask for an email address and email a confirmation link to it.

Written on 04 July 2007.
« Problems with EXA X acceleration on ATI cards in Fedora Core 6
What OpenID is good for »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Jul 4 23:03:16 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.