We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.


OpenID: Another Approach to Identities Single Sign-On, But Decentralized and Open

Originally published November 8, 2007

Have you heard about OpenID? It's the latest Internet identity scheme, in a long line of Internet identity schemes, but unlike so many of its predecessors, it could actually have a future.

OpenID is more than just another Web 2.0 fad – it's an open protocol for building identity across domains. At the moment mostly aimed at the blogosphere, OpenID could be useful in the enterprise arena too as a lightweight, distributed single sign-on (SSO) system. Here's what it is, what it does, how it works, and what it can do for you. But first, a quick review of SSO.

What is Single Sign-On?

Users have been plagued by password creep ever since the MIS department installed the second mainframe – but power web users may have ID/password combinations from dozens of websites, services, and accounts. You could try using the same user ID/password for everything to make it easier to remember, but that makes everything less secure. You could write down all your user IDs and passwords, but ditto for security. You can use a piece of software to remember all your login data, but again, that can be iffy, security-wise.

Or, you can try a single sign-on solution. SSO systems traditionally provide “a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems” (from Wikipedia). You may find an introduction to SSO at the Open Group. From the user's perspective, SSO works by requiring only a single user ID/password exchange, after which all other logins are mediated through the SSO.

From the implementer's perspective, the SSO server serves as a sort of proxy on behalf of signed-in users. Users are authenticated with the SSO server; when a user needs to access another system that requires authentication, that system negotiates with the SSO server to determine whether the user is authenticated and how much access that user is permitted.

Vendors have been pushing SSO solutions for years. An early SSO-like authentication system called Kerberos was developed at MIT during the 1980s and is still in use.

However, SSO systems can be difficult to get right. Proprietary solutions don't always work for all the platforms you want to be able to sign onto, for example. And it can be scary to centralize all authentication into a single system – that means a single point of vulnerability. Not to mention the potentially tricky task of putting all authentication duties in one place. Finally, traditional SSO solutions are usually imposed on a set of users, usually employees of an enterprise; the SSO system is generally intended for use of enterprise systems only.

What is OpenID?

According to OpenID.net, “OpenID is a free and easy way to use a single digital identity across the Internet.” Wikipedia tells us that OpenID “is a decentralized single sign-on system.” This is the virtual holy grail of Internet interaction. Remember how “on the Internet, no one knows you're a dog”? OpenID may not reveal your species, but it does permit OpenID holders to build consistent identities that persist across time and websites.

OpenID users can blog for themselves and contribute to other people's blogs, across different websites, using the same ID. OpenID makes it possible to be confident that any comments made on any OpenID-enabled blog by “ScoobyDoo.example.com” were made by the same person. OpenID lets you create and manage a web identity (or multiple identities) that persists and accrues reputation. Almost as appealing to OpenID users is that your OpenID authentication lets you log into all those different websites/blogs, and you won't need to create a new userID/password every time you want to participate somewhere new.

What Does Open ID Do?

OpenID does, more or less, what most SSO systems do – except that it's based on an entirely open specification. Brad Fitzpatrick, “father of OpenID,” declared: “Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community.”

And if you read the specification drafts, you'll note that they conform to the format used for Internet Engineering Task Force (IETF) drafts, which is telling in two ways. First, the IETF is responsible for the fundamental, and fundamentally open, Internet protocols like TCP/IP, so you know that the explicit intent is to make OpenID an open standard. And second, an open standard for user authentication, like OpenID, could be positioned to dominate the SSO market in the same way that the open standards for internetworking, like TCP/IP, came to dominate – and accelerate – the global internetworking market.

Per the specification: “OpenID Authentication provides a way to prove that an End User owns an Identity URL. It does this without passing around their password, e-mail address, or anything they don't want it to.”  That's it. No central repository that you have to register with – and that you have to trust to maintain securely. You do need to register your identity URL with an identity provider – but identity URLs are portable from provider to provider, and setting up as an identity provider is relatively straightforward. This is the decentralized part: mass market identity providers can provide service to the mass markets while specialized identity providers will undoubtedly cater to specialized markets, such as those who want/need higher levels of trust that the identity URLs are linked to specific individuals, for example.

The protocol defines basic interactions carried in HTTP and HTML markup; there's nothing technically revolutionary there. The key is that OpenID defines an open framework for lightweight and decentralized authentication.

Enterprise OpenID

At the moment, OpenID activity is focused on building momentum with individual users on the web by building support from popular websites. As stated on the OpenID website, “OpenID is still in the adoption phase and is becoming more and more popular as large organizations like AOL, Microsoft, Sun, Novell, etc. begin to accept and provide OpenIDs. Today it is estimated that there are more than160-million OpenID-enabled URIs with nearly 10,000 sites supporting OpenID logins.”

But there is a parallel effort to drive development and adoption. The OpenID Foundation has collected $50,000 (so far) from vendor sponsors for a “bounty” program to generate a full toolbox of open source development and integration software, to be awarded $5,000 at a time to projects that make OpenID easier to deploy and use.

So things are good if you want to use OpenID (you may already have one), or if you want to enable your blog or website to support OpenID. It's designed to be straightforward. Plaxo has instructions in an article, A Recipe for OpenID-Enabling Your Site, and there are numerous other articles on the same topic popping up every day.

How does that help position OpenID in the enterprise? The OpenID people seem to be following a well-worn Internet trajectory of building a completely new market on top of a new and open network protocol. The web lives and dies by the HTTP protocol; and where most enterprises once put all their data on proprietary branded network servers running software from Microsoft and Novell, most corporate data is now accessible through web servers. If you get wide enough deployment and vendor support and if you can build a history of performance, then you will ultimately have a product that enterprises can use, too.

OpenID is doing the first by gathering endorsements from Microsoft, Sun, Novell and many other software companies. It may just be that OpenID offers enough strength to be useful as a distributed authentication system for some corporate applications. If you have the patience to set up your own Identity Provider systems, you retain as much control over system authentication as you need.

What to Expect from OpenID

That doesn't mean you should run out and start deploying OpenID instead of SSO. OpenID is new, and is still undergoing the process of becoming a standard protocol. Many of the articles you'll find online about OpenID are negative, pointing out weaknesses in the protocol, such as the fact that in a decentralized authentication system, you have no way to differentiate whether an Identity Provider is trustworthy.

However, the fact that so much of what you read about OpenID is either neutral or negative is also one of the reasons I'm optimistic that it augurs something big, something that goes beyond the obvious, and here's why. Someone's always coming up with new protocols, especially for authentication and other security-related topics. OpenID is getting an extraordinary amount of attention from technically oriented writers who find it worth writing about. That so many find fault with OpenID tells me:

  1. OpenID is getting more than enough attention to identify, and eventually resolve, any glaring deficiencies in the way it works.

  2. Identifying and publicizing any faults or weaknesses, perceived or actual, in the protocols means building greater understanding of what OpenID can do and what it can't do. If you think OpenID will solve all your problems, you'll be disappointed; but if you think it will solve a very particular problem, and it does, you'll be more than satisfied.

  3. It's cliché to say that “all press is good press,” but it's also true. Lots of coverage in the trade press and the blogosphere means that more and more people are learning all about OpenID every day. Compare that to your current SSO solution.

  4. OpenID is a big target. With so much industry support already, there is a perverse pressure on bloggers and journalists to come up with all the reasons OpenID will never amount to anything. After all, no one bothers writing about the drawbacks of a sensible and reasonable protocol that no one implements.

Sure, there are problems, but there are always problems with authentication schemes. Kerberos is an elegant and complete solution for authentication, but it has problems too. With OpenID, less may be more by letting us define a set of simple problems and a framework for straightforward solutions.

  • Pete LoshinPete Loshin

    Pete is Founder of Internet-Standard.com, an open source and open standard computing consultancy providing technology assessment, needs analysis and transition planning services for organizations seeking alternatives to commercial software. Pete has written 20 books, including “TCP/IP Clearly Explained” 4th Edition, Morgan Kaufmann, 2003) and “IPv6 : Theory, Protocol, and Practice,” 2nd Edition (Morgan Kaufmann, 2004).

    Pete can be reached at pete@loshin.com or at 781. 859.9175.

Recent articles by Pete Loshin

 

Comments

Want to post a comment? Login or become a member today!

Be the first to comment!