Lately i’ve been seeing a lot of buzz about OpenID, and i’ve got to admit, it’s a darn appealing idea, it’s just that i don’t see it as quite the utopia that others seem to.
i get that OpenID is basically an identification service. What it says is that this identity is valid. In addition, it provides the identity holder a way to publish out as much personal information as they wish to remote services. It also lets those remote services not have to worry about tracking individual user information since there’s another service that will do that for them.
Only, i think they still do.
Remember, we’re talking about an identity here, not necissarily your identity. It could well be. It could also not be. That identity may be authenticated by an independent, third party site, or some random server. Truth is, while the identity is vouched for, there’s nothing to vouch for the vouchers. What that means to me as an OpenID consumer, is that i’ve exchanged managing users for managing OpenID servers.
Granted, this could be somewhat alleviated by only accepting OpenIDs from a subset of “trusted” servers (which means that spammers, miscreants, and others need only abuse those services with disposable gmail addresses to build up enough OpenIDs to do whatever they wanted to my service). That kinda goes against the “open” part of OpenIDs, though.
i’m not saying that OpenID is worse than BBauth, Passport, or google’s auth, since they all sort of have that same problem. The only benefit to those other solutions is that they can do stuff like block abusive users or require CAPTCHAs, additional elements of ID or other restrictions to “raise the bar” on getting an ID. Of course, that means having to put personal information on a remote server, which doesn’t appeal to the “need for privacy” concern.
i’ll also note that even restricting OpenID to one of the current OpenID machines still means that someone is getting a record of where that identity is going. That’s solved by running your own server, but then you hit the problem that spammers and other miscreants will be doing that too.
Personally, i hope this is just another thing i’m horribly wrong about and that there’s a far simpler way to address this sort of thing than i’ve been able to come up with. Like i said, i like the idea of OpenID. i just don’t plan on implementing it until i know the answers to those sorts of questions.
