Friday, 18 January 2008

Yahoo does OpenID

Yahoo have announced that they will be moving to using OpenID as of 30 Jan. Interestingly Google seem to have played with OpenID inside of blogger suggesting that they too are interested in OpenID.

Like all identity management solutions OpenID is same sign on - ie your credentials are the same on all OpenID sites but validation is still performed against your identity provider.

Unfortunately it doesn't get round the "on the internet, no one know you're a dog" problem - that is, there is no validation of your original credentials, so unlike our id management project using shibboleth, you cannot be assured that the assertion "is a member of the ANU" is almost certainly true.

All you know about an OpenID account is "person holds yahoo account" or "person holds six apart account", which means that you've filled in some registration box appropriately.

However, what is potentially interest is the social networking parts of it - if a site such as facebook that holds rich information about individuals becomes involved we start to get a degree of validation - for example you need an anu id to join the anu network on facebook - tho' what happens when you leave is an interesting question, and through these individual validations we can begin to accept these assertions as valid.

[This is an argument in progress - I havn't worked it all out, but basically external validation of information makes it worth more, in the same way that showing your drivers licence and passport allows you to open a bank account]

2 comments:

randomstring said...

I think you miss the point here.

All you know about an OpenID account is "person holds yahoo account" or "person holds six apart account", which means that you've filled in some registration box appropriately

It's actually less than that since I can run OpenID on my own server and miss out the box ticking completely. All it proves is that person A on website A is the same person A on website B.

But that's all that's needed. I don't want to give any more information away. There's a place for a more formal ID scheme, but to complain that OpenID isn't it is to complain that a tractor won't do 100mph on the motorway.

dgm said...

Good point, and one that emphasises that OpenID is fundamentally a same sign on solution and not identity management, whatever anyone says