SXSW Report: A Critical Look at OpenID

I’ve been intending to write about iCards next, but Paul and Kim have yet to get back to me. Since I just got out of the OpenID panel at SXSW, I’ll go ahead and cover the panel. Beware–This is going to be a long one.

I actually made my way through the labyrinth that is SXSW to one of the lesser rooms about 15 minutes early (WAY early in SXSW time). To my shock, the room was already packed (300-500 people). Even more telling, this was a very sophisticated 300-500 people. I would guess that about a quarter were implementing or looking to implement identity solutions in some form or another. In other words, this space is SCALDING hot.

Jason Levitt (formerly with Yahoo) moderated the panel. Artur Bergman (Wikia), David Recordon (Six Apart), Simon Willison (simonwillison.net), Andy Smith (Google), and George Fletcher (AOL) were on the panel and seated from left to right in the order I’ve listed them. I’ll probably describe the panel as I describe the participants, so let me just make clear (before I say anything that can be construed as snarky) that all of these guys did a great job and all of them clearly understand the identity space very well. Besides the fact that it is of personal interest to me, this was one of the best panels of the event.

Jason Levitt—It was a little funny watching him trying to “moderate” this discussion. After Simon gave a (very good) overview of OpenID, Jason was going to do a small presentation about Yahoo, but his laptop wasn’t cooperating. While he was trying to fix it, an impromptu conversation began between the audience and the panel. By the time he finally got his computer working, the few slides were almost an unwelcome interruption. He then tried to take over the questioning from the audience and the panel over-ruled him. As his last act as moderator, he requested that AT LEAST audience members should ask questions from the microphone. Overall, he did a good job of letting go, which was clearly the right (though not necessarily easy) thing to do.

Simon Wilson—As I already mentioned, Simon gave a very good overview of Open ID. A few points were of particular interest:
1. He demonstrated that once you sign into an RP (relying party–a site that needs to authenticate you) with your OpenID, your OP (open ID provider) can ask you if you would like it to remember that you trust that site. This means OpenID can support persistent trust relationships.
2. He demonstrated “Simple Registration”. These are 9 common registration fields you can choose to have your OP give to any RP. This is huge because it means you can associate and share identity claims through your OP.
3. He also explained that in Open ID 2.0, the RP can use their base URL (e.g. aol.com) instead of the unique identifier (opened.aol.com/drstarcat). The cool thing about this, is you could have a button that says “Authenticate with Aol” instead of the more technical “Please enter your Open ID URL here”.

I haven’t run into Simon before, but he was introduced as an Open ID evangelist—NO KIDDING! He was RELENTLESSLY positive about the technology. The audience was sophisticated and asked some real questions. Simon’s answers were overwhelmingly optimistic:
1. If someone gets my OpenID, can’t they login to all my sites? Yes, but this happens if they get a hold of your email as well (they can send password reminder requests).
2. What about fishing? Paypal has the same issue and survives.
3. Big companies refuse to be relying parties? Not an issue. Google, Yahoo, and AOL don’t NEED to be relying parties. Open ID is best for smaller sites that don’t want to deal with registration.
4. Doesn’t the big two (Google and Microsoft/Yahoo) serving as THE OPs become just like Passport was back in the day? Nope, two is better than one.

I don’t necessarily disagree with any of these points, but I would have appreciated some acknowledgment of the real challenges that face Open ID (and any identity solution). Regardless, Simon is a great evangelist for Open ID, and I’m sure we’ll be connecting in the future.

George Fletcher—George was main “adult” in the room (he actually has grey hair!), and was also the most moderate voice. He’s in charge of implementing OpenID at AOL, and it’s pretty clear he understands the issues. One of his recurring themes was that OpenID really needs more requirements around it’s security layer (like mandating SSL) if it’s going to be trusted.

He also didn’t gloss over the question about why no major Internet properties are relying parties. Simon turned to him to claim that AOL was opening its properties to OpenID authentication (this is a common and mistaken claim based on Ficklets, a unique Aol property), and George tellingly gave him a little “not really” shake of the head. He basically admitted that properties that are tasked with protecting real user assets aren’t likely to use OpenID until some of the security and trust issues can be resolved.

The Implementors (David, Artur, and Andy)—I’m not lumping these three guys together because they are less important or distinctive. Just the opposite—David and Artur really drove much of the conversation and gave some of the best answers, and anyone who reads this blog will know that, as someone who likes to build things in reality, I like and respect nothing more than real implementors . These guys are exactly the kind of people I love on my team.

David, bushy-haired and having a lot of fun, made a few great points:
1. Because OPs focus on providing identity as a job, they can devote all their resources to doing it correctly.
2. Security vendors who come up with security enhancements will be able to more efficiently market their improvements with a few OPs (instead of millions of RPs).
3. Becoming an RP is a good idea for a startup (by reducing technical and legal liability); whereas, becoming an OP is a very bad idea (by increasing technical and legal liability).
4. There are no real OpenID adoption metrics, as its distributed nature makes this nearly impossible.

Artur gives the slightest impression of a German (Swedish?) economy of emotion and words, but also made some great points and was having some real fun. His primary response to most questions was, “That’s the responsibility of the OP”. In other words, I think he feels that not every issue should be solved on the specification layer (though he did advocate additional, optional specifications for more secure OpenID implementations); rather, it is the responsibility of the OP to innovate and find ways to become a trusted provider. This makes a lot of sense, as this will allow the market to determine the correct trade-offs between security and usability.

There were actually a number of other great things that came out of this panel, but I’ll save most of those for later posts. Two important takeaways though:
1. OpenID DOES define an “attribute exchange” layer, which extends the “simple registration” fields, so that an OP can use the protocol to broker identity claims.
2. OpenID along with OAuth can compete with much of the functionality of iCards and, because of their simplicity, have emerged as the stack to beat in the identity space.

Be Sociable, Share!
  • http://pascal.vanhecke.info Pascal Van Hecke

    Your quote:
    “1. If someone gets my email, can’t they login to all my sites? Yes, but this happens if they get a hold of your email as well (they can send password reminder requests).”

    first “email” should be “openid account”

    Thx for the Writeup!

  • http://radar.oreilly.com/artur/ Artur Bergman

    Hi,

    First of all, what does “Artur gives the slightest impression of a German economy of emotion and words” actually mean? :)

    Second, my point is not that it should be solved by the OP, it is that it HAS to be solved by the OP.

    Phishing is about control and faking of the end points of a connection. A protocol per definition cannot solve that. Sure it can make it worse, but we have tried hard to make OpenID not making it worse.

    Artur

  • http://decisionpsychology.com Chaya

    It should probably be pointed out that Artur is Swedish, not German :)

  • http://drstarcat.com drstarcat

    Thanks for the post edits. Email now equals OpenID, Artur is now Swedish!

  • http://practicalid.blogspot.com George Fletcher

    So yes, I do have gray hair and it’s getting grayer by the day:)

    As for AOL and Relying Party support. We do support 3rd party OpenID’s on dev.aol.com and a couple other sites: ficlets.com (which one best use of CSS) and circavie.com. We are working to make the relying party support more robust and to cover more services. I don’t want to give the impression that AOL is not active in supporting OpenID as a relying party.

    On the security front, OpenID 2.0 does require SSL in a few cases so the 2.0 spec is much better from the security perspective.

    However, the issue is how much security is needed for the resources being provided. SSL might be overkill. The only minor problem with this logic is that many people use the same password so any insecure channel could compromise their identity.

  • http://sam.haslers.info Sam Hasler

    “If someone gets my OpenID, can’t they login to all my sites? Yes, but this happens if they get a hold of your email as well (they can send password reminder requests).”

    That’s a statement about the impact of either happening, it doesn’t address the difference in likelihood of either happening.

    Isn’t it easier to hack a website to get control of an OpenID URL than it is to hack into an email account?

    Or would you really need to hack into the OpenID account (which is distinct from the OpenID URL. i.e. you could control a URL that original defered to a MyOpenID account without knowing anything about the account).

    For spammers, hacking OpenID’s URLs and searching for where they’ve been used to post comments on blogs – and so therefore might be whitelisted – could be an easy way to get round stricter comment spam filters.

    They might work it the other way of course. find OpenIDs used to post comments, then check if the URL is secure. That could mean that the more you use your OpenID the more you are exposing yourself to spammers trying to hack your OpenID URL.

    I wouldn’t be surprised if within the next year there someone within the OpenID community who defers their OpenID from a website they manage themselves gets their site hacked and their OpenID used to post comment spam.

  • Pingback: The History of Tomorrow’s Internet: Identity (iCards, pt. 1) | drstarcat.com

  • http://drstarcat.com drstarcat

    Sam Felder also had did a nice (and much shorter) writeup of the panel here: http://www.samfelder.com/2008/03/a-critical-look-at-openid.html

  • Pingback: SXSW: A Critical Look at OpenID « Stone Ward Interactive

  • http://echard15.wordpress.com/2008/03/16/babel-english/ Nikim

    Interesting page., guy

  • http://necronomicorp.com/bct Brendan Taylor

    “OpenID along with Oath”

    I believe you mean OAuth.

  • Pingback: OpenID for BtoB? Not So Sure…Yet - Bullblog - Bulldog Solutions

  • Pingback: Percocet sexual effects.

  • http://www.yahoo.com dsfdsf

    sfdsfds

  • http://www.nike-air-force-one.com/Nike-Air-Force-1-mid.html air force shoes

    Here elaborates the matter not only extensively but also detailly .I support the
    write's unique point.It is useful and benefit to your daily life.You can go those
    sits to know more relate things.They are conditions-encountered strongly recommended by friends.Personally

  • http://www.usa-basketball-shoes.com basketball shoes

    Here elaborates the cake-like.com matter not only extensively but also detailly .I support the write's cake-like.com unique point.It is useful and benefit to your daily life.You can cake-like.com go those sits to know more relate things.They are strongly recommended by friends.Personally

  • http://www.cheap-nikeshox.com nike shox

    This blog is very good!

  • http://www.mbt-outlet-store.com mbt shoes

    Thanks a landlord it! I acquired yet some insight. Life is so colorful, we should be able to live in, such as Korea and honor the planet. Human life is like rivers, slowly flowing, flowing rivers, flowing through the snow, flows through the prairie and ultimately into the sea, return to the embrace of nature, start a new reincarnation. Allow us to feel the meaning of life will come only to those you have those memories http://www.cheap-nikeshox.com/nike-shox-TL1.html

  • http://www.nikeshox-outlet.com nike shox

    put together fantastic. I be able to get material noticed speech to make next week, and I am on the look out for.

  • http://security-wire.com/10/how-to-remove-thinkpoint-rogue-anti-spyware.html remove ThinkPoint virus

    Your article covers most of aspects we should be careful. Thank you!

  • findingdream123

    students decided to stay on in the
    developed countries when they had finished their training. [url=http://www.findingdream.com/wh…]wholesale
    hair[/url] At the same time, many professionals who did return home but no longer felt at ease there also [url= http://www.findingdream.com/wh…]wholesale hair
    extensions[/url]