There are couple of big news items here. First, we read here that XRI 2.0 has been approved as Draft and released for public review and comments. The 2.0 version has been developed to meet the needs of OpenID 2.0 (for a summary of changes, read this post by Drummond Reed). You may also recall my earlier post about OpenID 2.0 and how it relates to XRI and other protocols. For now, know that OpenID is the umbrella framework that covers OpenID 1.x, XRI and Yadis protocols.
Shortly afterwards, during the Internet Identity Workshop (IIW2007b), the final specification of OpenID 2.0 was also announced.
It’s only an announcement, folks. The actual specification has been out there for a while and the tools that are out there have been 2.0 compliant as well. Let’s not lose sight of that fact.
What does this really mean ?
I have (tried) to follow the development regularly, thanks to gmane and google reader. At times, I did get discouraged because the language got too openid-ish. I do not believe the members involved in the discussion and development of this framework intended to confuse the community by adopting openid code talk, but it does happen to some extent and takes some effort to follow.
I am still debating if OpenID is solving what *I* want out of it, in relation to Internet Identity. As I said earlier, “Internet Identity is a heck a lot more then your username and password“. The front page of OpenID website says this about OpenID:
OpenID is a free and easy way to use a single digital identity across the Internet
Click that link and you get this:
OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.
Err…. Identity crisis ? one says it is all about Internet Identity and another one says it is all about usernames. Which it it ?
One person’s view
This is how I want my Internet to work with my Identity.
- I create a central Internet Identity (let us call it CID for “Central ID”). Who has access to what parts of my Internet Identity is controlled by me, the owner of that Identity. (For now and just now, let us not bother with who is “managing” this identity for me and what they can do. Let’s assume that there is something akin to “Attorney-Client Privilege” between me and my identity repository.
- I want to login to SiteA. I do not know much about SiteA, so I want to be very careful. SiteA requires me to provide a certain set of information about me so that they can offer their services to me. I tell SiteA to obtain my identity information from my CID. SiteA can tap into my CID and get all the relevant pieces of information. I authorize exactly what pieces of information SiteA can have and for how long.
- I also want SiteA to conform to the CID specifications of information storage. For example, if I give a URL as my email address, then SiteA should not complain. If I give an XML document for my phone/contact info, SiteA should not complain and should comply. Why am I doing this? Because I can secure my contact information and make sure I am not being spammed by robots. (CID is no good to me if SiteA simply taps into my information and then copies all of that info into its own database. Now, parts of my identity are in TWO databases. I am also risking them spamming me. There are other issues as well, I am sure)
- SiteA can have a backup plan of providing me services in case my Internet Identity fails to work (geographical, climate, national, periodical issues etc). I should have a choice in that as well. “Your CID failed to respond, would you like to login using the alternative method ? ” – sort of a question.
Currently, OpenID does not do all of it. It simply provides an mechanism to store my username/password/other info. However, SiteA (SiteB…Site0) do not need to follow any requirements of how/what they store, once they get my authorization to use that OpenID. So in effect, my OpenID information is now replicated across all those databases. The *only* thing OpenID seems to do is to save a few key strokes.
I do not want to trivialize the issue but I would welcome if someone can address these above points and convince me that one day, OpenID or some other framework is possible that will address the above issues. Preferably address them in English. Don’t give me the RP->IdP->OP crap. It is a big turn off right now.
One advantage of OpenID that you seem to be missing is that the authentication happens with one place, your Identity Provider. That has several benefits, because that Identity Provider can put more effort into doing authentication the right way than Site A can. Site A’s focus is generally not authentication.
For example, your Identity Provider can do things like use SSL (web page encryption) for the authentication. Many websites today do not use security for the login. Site A might not be able to afford an SSL certificate, but if your Identity Provider, you benefit from that everywhere.
Because you only authenticate with one place, less people have access to your login credentials. Theoretically, this makes it less likely that your credentials will wind up in the wrong hands.
If you only have a username and password in one place (your Identity provider), it becomes feasible to change your password more frequently (monthly, or biweekly, whatever).
Having authentication take place once for everywhere also means that, if you wanted to, you could use an Identity Provider such as Verisign PIP to have multi-factor authentication. In other words, you could combine something you know (your username and password) with something you have. Your Identity Provider could, for example, send a text message to your cell phone when you try to log-on, containing a frequently changing code that you have to enter along with your username and password. Or, you could get a little $5 dongle for your keychain for that.
When the authentication happens only in one place, stronger security measures actually become practical.
@macskeeball
I agree with you. It is convenient to have a single place where you change you password. In a way, it does line up with the point I am making about Internet Identity problem being much more bigger than just a username and password. Single-Sign on is definitely a plus, but at what cost ?
There are still a lot of problems about Internet Identity that are left on the table.