Blogs

RSS FeedBlogs
RSS FeedSubscribe to this blog
About Author
Glyn Moody

Glyn Moody's look at all levels of the enterprise open source stack. The blog will look at the organisations that are embracing open source, old and new alike (start-ups welcome), and the communities of users and developers that have formed around them (or not, as the case may be).

OpenID Becomes Enterprising

Article comments

Identity is a hot issue at the moment - just ask Her Majesty's Revenue & Customs. But supremely stupid security lapses aside, managing identity is a problem that everyone online has to face on a daily basis.

One aspect involves passwords. As we join more and more online services, we are faced with the perennial problem: do we invent yet another password, making it even harder to remember, or do we recycle old passwords, which increases the potential damage if one is compromised? Of course there are alternatives, as Bruce Schneier reminds us, but they are hardly convenient, especially if we're accessing online services from many computers at different locations.

What, we need, of course, is a secure, single sign-on system that works everywhere, but we haven't got that for all the usual selfish reasons: major online services are unwilling to adopt somebody else's system, and so we end up with current fragmented state.

We've been here before, with operating systems. Back in the days when Unix was king, nobody wanted to standardise on someone else's flavour, and we were left with myriad Unices, all slightly incompatible. One of the reason that GNU/Linux has been adopted so widely is that it offered a neutral, open platform that favoured everyone equally. Clearly, then, what we need is a neutral, open identity system.

Amazingly, we have one: OpenID. As the main OpenID site explains:

OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.
You get to choose the OpenID Provider that best meets your needs and most importantly that you trust. At the same time, your OpenID can stay with you, no matter which Provider you move to. And best of all, the OpenID technology is not proprietary and is completely free.
For businesses, this means a lower cost of password and account management, while drawing new web traffic. OpenID lowers user frustration by letting users have control of their login.
For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.

The problem is that it still hasn't caught on in a big way. The recent release of OpenID 2.0 may change that – well, that's what it's supporters are certainly hoping.

I spoke to one of them, Michael Graves, from the company JanRain (no, not some obscure Asian god, but a pointed reference to the local winter weather in Portland, where the company is based) recently, to find out more. Graves felt – not unsurprisingly – that we were near to the inflection point as far as OpenID is concerned – the moment when it passes from being a niche solution, to something with unstoppable momentum.

He cited Microsoft's announcement earlier this year, and Google's move to allow OpenIDs for comments on its Blogger system as proof of this; although those are both big names, it's still very much a toe-dipping exercise – you don't get any sense of deep commitment yet. But as Graves pointed out, you wouldn't really expect that, because this is deeply disruptive technology, and powerful incumbents like Microsoft and Google (yes, Google's an incumbent these days) much prefer the status quo.

He also noted that OpenID 2.0 will have a number of technical enhancements, allowing more complex interactions with service providers, whereby your personal profile is passed in a controlled way for certain purposes. Privacy issues aside, that sounds useful in terms of automating various kinds of operations.

Another interesting aspect was how his company JanRain would make money in this open world, and it was refreshing to hear his belief in the centrality of openness for OpenID – so no attempts to add proprietary elements for the sake of a bit of dosh. Instead, JanRain operates as an OpenID provider where you can sign up, and it also makes software, including Pibb:

it brings together the familiarity of forums, power of blogs, flexibility of email and convenience of instant messaging in one browser window. All messages are delivered in real time, then archived automatically for later search/viewing. This feature set makes Pibb ideal as a communication back-channel for conferences, for use as a support tool, or for community based private/public discussions.

But for me the real revelation – and the thing that excites me most about the short-term future for OpenID - is its potential within the enterprise. Graves spoke of how the publisher Reed-Elsevier (disclosure: a long time ago, in a galaxy far, far away, I used to work for one of its divisions) is layering OpenIDs on top of its Active Directory implementations: the problem here is that with multiple Active Directories, the name-space is too fragmented to use. OpenID allows a simple, unified approach that hides the underlying complexity.

Of course, that's precisely what OpenID can do on the Internet too, but it may be that the business case for its use in similar situations will help it build the necessary broad user base for the breakthrough in the public sphere.

And if you're wondering what an OpenID-enabled future might look, try this fascinating post from Chris Messina about OpenID 2.0 and DiSo, or “Distributed Social Networking applications”:

As more people sign in to my blog with OpenID and leave approved comments, I can migrate them to my public blogroll, allowing others to benefit from the work I’ve done evaluating whether a given identifier might be a spam emitter. Over time, my reliability in selecting and promoting trustworthy identifiers becomes a source of social capital accrual and you’ll want to get on my list, demonstrating the value of playing the role of identity provider more widely.

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivative Works 2.0 UK: England & Wales Licence. Please link back to the original post.

Share:

Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open