Catching up on OpenID 2.0

Over the past few months, we have seen an explosion of activity in the world of Internet identities. For reasons I have not researched and fully understood, the OpenID protocol has been the topic of every 2nd blog and every 3rd article. May be it’s got to do with the fact that prominent firms like AOL and others have started jumping on the bandwagon and instantly, everyone else wanted to jump on it.

I have also expressed my doubts about the validity of OpenIDs being synonymous with Internet Identities.

As I continue to keep pace with the developments, I am now of the feeling that my understanding of OpenID was true – but outdated and that OpenID in its 2.0 specification is a lot more than a username and password.

At the same time when OpenID 1.0 was being developed, a few other technologies/protocols were being developed by others to solve similar issues: LID, XRI, SXIP/DIX etc. At this time, OpenID, in its 1.0 stages, was simply an authentication protocol. Other technologies such as XRI were focusing on delivering a universal identification system that is independent of domains, protocols, locations etc. The concept of i-names and i-numbers comes from XRI. This figure explains how i-names and i-numbers work.

With all of these technologies coming into light, a good thing happened. All these guys (OpenID, LID, XRI and SXIP) started talking/working with each other in efforts to make all of these work with each other.

Dubbed as OpenID 2.0, the draft 2.0 specification aims to bring all of the implementations together and server as a umbrella. In David’s own words,

We see OpenID as being an umbrella for the framework that encompasses the layers for identifiers, discovery, authentication, and a messaging services layer that sits atop and this entire thing has sort of been dubbed “OpenID 2.0“. We see URLs and XRIs being the identifier layer, Yadis as discovery, OpenID Authentication for the authentication layer, and then are also working with JanRain to develop a light-weight abstract
messaging layer.

Here’s a graphical depiction of the above:

In a nutshell, OpenID 2.0 has been grown to include more of the attributes that constitute one’s Internet Identity. With the convergence of technologies, OpenID 2.0 also allow for native XRI resolution as well as proxy URL based authentication. According to Drummond,

OpenID 2.0 will be more than just an authentication protocol but a complete framework for distributed digital identity based on user-centric digital addresses. The highlights:

• OpenID 2.0 will support both URLs and XRIs (i-names or i-numbers), so you can use either type of digital address.
• OpenID 2.0 incorporates Yadis XRDS-based service discovery, so it can be used
  not just for authentication (via any protocol both the user and the site support), but for any identity-based service (“i-service�?) such as profile exchange, attribute verification, reputation, etc.
• OpenID 2.0 Authentication (the new name for the OpenID 2.0 authentication protocol itself) is adding more security features plus the ability to do “anonymous�? login (logging in using your i-broker’s digital address instead of your own, for an extra layer of privacy).

In English, if you go to a OpenID 2.0-enabled website, your login can be any one of these

1. XRI i-name format e.g., =rajeev (resolves to your permanent i-number)
2. Proxy XRI format e.g., http://xri.net/=rajeev (resolves to your permanent i-number)
3. Another OpenID name/URL
4. Locally registered account

With the clarification about the convergence of all of these technologies and the maturation of OpenID 2.0 into a user-centric identity layer for the Web, one must not get lost in the specifications, technologies, the “cool” factors and must be loyal to the problem that was set out to be solved.

What are the problems with Internet Identities in the first place ?

• Too many websites storing your personal information, leading to heightened risk of identity theft and privacy concerns
• Different usernames on different websites
• Too much spam in your INBOX
• Managing online identity information is getting too difficult

What’s your idea of you being in control of your Internet Identity ?

That is a very subjective question and is based on your personality and your view of the online world – meaning that the system must be flexible.

Taking a look at OpenID 2.0 feature sets and based on my own experiences, here are some observations on how it is currently setup and what must happen before wide acceptance can be achieved:

1. Cost of inames: Folks (including me) are talking about how great inames are. Sure its good for us ’cause we grabbed ours during the initial phase when no one was paying attention. But now, they cost about $20/year for personal inames and $55/year for
   business i-names.

   Recommendation: Have a tiered-pricing model and make the entry point dirt-cheap, if not free.

2. Having an i-name contact page will work as long as I am not an initiator of the communication to a regular email address. If I want to send email to say, googleblock@gmail.com, then I have to expose my email address, which defeats the purpose.
   
   

   Recommendation: Need an API or a facility of some sort that will allow sending messages to a regular email address with an OpenID/i-name as the sender.

3. Recommendation: OpenID/i-name enabled E-Mail Client — Wouldn’t that be cool! It could work with Ajax technologies to perform authentication and authorization functions.

4. Make it usable-already!: One really fast way for people to start using OpenID is to make it possible for blogs to use OpenIDs instead of E-mail addresses for all of the forms – Most importantly/visibly,  the comments.

   Commenting on blog posts is central to the way the web juju happens. I may have logged in with my OpenID on my website but If I want to leave a comment on someone’s post, chances are I have to enter my old “email address” (email address ? what’s that ?). I just wish I can enter http://rajeev.myopenid.com or simply =rajeev where ever an email address is asked or =rajeev/+chat where ever my screen name is asked.
   
   

   Question:
   Form inputs all over the world will have to change to allow for URL/XRI style addresses as opposed to “user @ domain ” style checks.

5. De-centralize the XDI Server: Currently if I use an XRI, we are all at the mercy of Neustar. Not that their reputation is bad – in fact, I have never heard of them – so they must be good at what they do. However, the point is that I derive the uber-sense of security if I am able to host my own personal XDI server that I can shutdown when I want to and startup when I want to, while controlling all aspects of it. OpenID already have a few PHP implementations for authentication.
   
   

   Recommendation: Make Andy’s dream a reality and release a personal XDI server implementation.

6. Recommendation: I have said this before and I will repeat it again. I-Brokers, eat your own dog food. Make i-names account management easier.

I am sure others have more input and as we all start thinking about our identities and OpenID 2.0, more thoughts will come to our minds. As Nik points out, we have enough providers. What we need is the expansion of OpenID technology from a usability standpoint and coaxing the surrounding and sister technologies to work with it.