Thursday, January 17, 2008

Thoughts on OpenID

Web single sign on has been the stuff of dreams for - well, for as long as the web has existed. Microsoft's much-derided Passport - placing all control in the hands of that institution - was the last serious attempt. Now, finally, we have an open, distributed standard that puts control with the user - OpenID.

Yahoo's implementation of OpenID is a massive filip for the standard. Although Yahoo is only a provider of accounts - it won't read accounts created elsewhere - yet it triples the ecosystem of OpenID accounts, making it ever more likely that the next generation of start-ups will consume these IDs.

OpenID has a key architectural advantage - usernames are URLs, not email addresses. That means you can tell someone your OpenID without getting spammed.

Trouble is, if you are, what is the Yahoo OpenID you'll want?, of course. And if you give that out, people will be able to guess your email account pretty easily...

I have no idea how Yahoo (or anyone else) will prevent this. Perhaps the secret is to have a different email provider to your OpenID provider! If someone asks your email address, it feels impolite to ask them to look it up at your OpenID URL!

It's a social issue as much as a technical one. OpenID has the chance to make lire on the internet so much better, let's hope it grabs its opportunity!


Factory Joe said...

Actually, they solved this problem in a pretty smart way, giving you total choice:

Chris Jay said...

Thanks Mr. Joe. Seems like a reasonable solution - both a random URL, plus a user-defined one. Let's hope it works and is understood, only time will tell!