Thursday, January 17, 2008

Thoughts on OpenID

Web single sign on has been the stuff of dreams for - well, for as long as the web has existed. Microsoft's much-derided Passport - placing all control in the hands of that institution - was the last serious attempt. Now, finally, we have an open, distributed standard that puts control with the user - OpenID.

Yahoo's implementation of OpenID is a massive filip for the standard. Although Yahoo is only a provider of accounts - it won't read accounts created elsewhere - yet it triples the ecosystem of OpenID accounts, making it ever more likely that the next generation of start-ups will consume these IDs.

OpenID has a key architectural advantage - usernames are URLs, not email addresses. That means you can tell someone your OpenID without getting spammed.

Trouble is, if you are JohnDoe99@yahoo.com, what is the Yahoo OpenID you'll want? http://openid.yahoo.com/JohnDoe99, of course. And if you give that out, people will be able to guess your email account pretty easily...

I have no idea how Yahoo (or anyone else) will prevent this. Perhaps the secret is to have a different email provider to your OpenID provider! If someone asks your email address, it feels impolite to ask them to look it up at your OpenID URL!

It's a social issue as much as a technical one. OpenID has the chance to make lire on the internet so much better, let's hope it grabs its opportunity!

2 comments:

Factory Joe said...

Actually, they solved this problem in a pretty smart way, giving you total choice:

http://flickr.com/photos/factoryjoe/2202181097/

Chris Jay said...

Thanks Mr. Joe. Seems like a reasonable solution - both a random URL, plus a user-defined one. Let's hope it works and is understood, only time will tell!