OpenID: Making Throw-Away Accounts Reusable Since 2005

Martin Dittus · 2007-02-20 · a new world, privacy, web services · write a comment

Since there are so many announcements about OpenID these days I decided it's time to actually have a look at the OpenID 1.1 spec. Turns out it's a light and fairly quick read, and its authors paid delightful attention to some crucial details.

I especially liked this:

The main advantage of [OpenID's delegation mechanism] is that an End User can keep their Identifier over many years, even as services come and go; they'll just keep changing who they delegate to.

And was impressed to see stuff like this in the spec:

It is RECOMMENDED that the form field [for the User's OpenID URL] be named "openid_url" so User-Agent's will auto-complete the End User's Identifier URL in the same way the eCommerce world tends to use conventions like "address1" and "address2".

Recycling Finally Makes Sense

I guess I won't start using the same OpenID account for all my identification needs, even if it might sound convenient. The thought of having a single login for everything isn't very appealing -- because it easily allows tracking you across services (cf the ubiquitous session cookie).

Here's what's so cool about this: OpenID allows you to reach a middle ground where you can have a limited number of accounts for most of your Internet interactions, regardless of the number of services you actually make use of; and each account can become an island, for use within a certain context. Your blogging account. Your throwaway test account. Your Digg and Slashdot trolling account. Your porn account.

That's the one feature that makes OpenID interesting to me: As soon as a significant number of websites start acting as OpenID consumers (i.e., they let you login via an OpenID account you registered elsewhere) you gain control over the number of passwords you have to remember. No more bugmenot, or relying on your browser or KeyChain to remember passwords for you. You'll be able to memorize them all.

Essentially, OpenID caters to our convenience while keeping us in control of our own privacy.

And all with a very simple mechanism -- with a little discipline it should be possible to write, test and deploy a primitive OpenID provider in a couple of hours. So if you don't want to trust anyone with your passwords and browsing habits it's dead easy to roll your own identification service from scratch, or deploy an open source implementation. And by the looks of things you're soon going to live in a world where your custom ID provider will work with all sites you care about.

Is there anything Brad Fitzpatrick can't do?

Next article:

Previous article:

Recent articles:


Comments are closed. You can contact me instead.