Misconceptions about OpenID

July 10, 2007 in OpenID by Carsten Pötter | View Comments

As most of you have probably realised OpenID has gained more attention from media – both traditional media and blogs – and users alike in recent months; also the numbers of Identity Providers (IdP) and Relying Parties (RP) are constantly growing. So happy times, everybody understood the benefits of OpenID? Not really. Reading some blog articles and comments there seem to be some misconceptions about OpenID floating around. I am not sure about the reasons; either people don’t understand it or they just repeat some buzz words. Don’t get me wrong, I don’t have much deeper knowledge about it myself and I wouldn’t be surprised if I was talking nonsense quite often, but I want to clear up three of the more common misconceptions about OpenID I have come across.

OpenID Is a Social Network

Often people refer to OpenID as a social network. Well, it is not, it’s not even an application. It is just a very smart single sign-on system which lets users log in to various websites with just a URI – their OpenID – without registering with those sites first. It is definitely not a social network. Developers can build a social network which is OpenID enabled but it won’t be different from any other network around. Well, maybe it will have some super cool features which will set it apart from existing networks. You’ll get the picture, I guess.

Importing Friends

Maybe the aforementioned misconception derives from another, very similar one. People think OpenID is the magic way to import their friends and contacts from one social network to another, the application to escape silos and walled gardens. However that’s wrong as well. There is no build in feature which supports this. There might be solutions which combine OpenID and microformats like hCards and XFN or projects like FOAF (there is a proposal for a foaf:openid property discussed at the moment) but right now those systems can only be build on top of OpenID; it can’t do that on its own.

OpenID Is a Trust System

This is probably the most referred misconception. But an IdP just authenticates a user to RP’s, telling them that the user has control over a URI. It doesn’t tell anyone that I am really Carsten Pötter, I can’t prove this in the realms of OpenID. I just can prove that I have control over my OpenID. So in its current draft banks hopefully won’t deploy OpenID as the only means of managing any money transfers. OpenID can be a part of that process but not the only solution.

Conclusion

I certainly don’t want to discourage anyone from using OpenID but if your decision is solely based on one of the mentioned misconceptions you will be disappointed. Though the really cool thing about OpenID is developers can build other applications on top of it which will provide all those features I have mentioned in this small article. I recommend watching Simon Willison’s Google Tech Talk; he answers most (all?) questions you might have about OpenID.

Tags: , ,

  • Carsten Pötter
    Reg. trusting an IdP, I think pressure on IdP's will come from users. Users will have a closer look at security features and privacy options of IdP's in the future which will lead to competition between IdP's and therefore better security for both RP's and users. Of course, everyone can set up their own server but I guess that will be the minority of users. So RP's would be able to manage that situation; they could blacklist OpenID's (not necessarily IdP's) if they think users were scammers, trolls, whatever.
  • OpenID can be extended (draft specifications exist already) to provide a certain trust level about your identity claims. I see OpenID as a natural evolution of digital client certificates at some point.

    However one of the current problems concerning trust is, that you can't trust any OpenID provider, that whatever the provider returns to the relying party(RP) is correct. An RP like your blog simply has to accept the response, but ANYBODY can be a provider being it good or bad. I view this approach very problematic in the long run. I guess there will be sever limitations in the future who, how and which provider is going to accepted by RPs.
  • Carsten Pötter
    Jason: It's true that users have to provide more information than their OpenID sometimes. But their first contact with any OpenID enabled site is just their OpenID and maybe information provided by SREG. Maybe I should have written signing-on than registering.

    Joseph: Of course, many things can be build on OpenID. But sometimes people just say: The solution is OpenID. It lets you import your friends.
    They don't say that OpenID might be a basis for this; they assume OpenID can do this already. That's what's bothering me.
  • I agree that "OpenID Authentication" spec certainly isn't a social network, and there may be some miscommunication in terms of advocacy. I may be a bit guilty of it myself, but it's hard to advocate decentralized identity to the layman. However, I think many in the social networking community are framing digital identity, and therefore OpenID as a whole, as an issue that is fundamentally greater than just authentication and authorization.

    What OpenID Authentication does for social networking is it establishes the notion of a specific GLOBAL NAMESPACE as a representation of a user's identity. FOAF without a global identifier (whether it be your URL or XRI) means that there is no Key ID in the cloud. It's a library of people without a Dewey Decimal System. It prevents people from asserting themselves and dare I say, prevents semantic identity to take hold. It isn't a misconception that OpenID allows you to import friends of one other. OpenID *creates* the ability to use your global identifier all over the web, which allows for social networking to take place (whether it be FOAF/Microformats/etc) and a whole host of other personal metadata.

    I would agree that OpenID isn't these things NOW, but I think when you touched on building things on top of OpenID is key. OpenID has profound applications for social networking, not to mention a whole host of other services. This sort of decentralization of one's own information is incredibly similar to the decentralization from discussion board sites to a smattering of weblogs all over the web -- and the ability to authenticate elsewhere allows for this to take place. (DiscussionServices:Weblogs Trackbacks::SocialNetworks:DecentralizedIdentity) Self-link, I've hacked together a hacky demo of the implications of OpenID SocialNetworks at http://openidr.mekov.com/

    I think the reason many are seeing OpenID as a social network is because it is the magical missing puzzle piece. Social networking is not just something clever that can run on top of OpenID, it's literally THE missing piece that we've been waiting for. A unique identifier for PEOPLE, with authentication and metadata, allows for us to solve "The Missing Addressbook" problem.
  • Jason
    It is just a very smart single sign-on system which lets users log in to various websites with just a URI - their OpenID - without registering with those sites first.


    This isn't necessarily true. You may still need to register given the site you're connecting too.
    That is to say, you consider "filling out required profile information prior to using a site" registering.

    With something like a Guestbook or Blog, it's possible to not register, leave a one-off comment tagging your content with your OpenID, and moving on.

    There's nothing in OpenID that says; "NO MORE REGISTRATIONS EVER!".
    But it's the most practical use-case, as it's easy, and usually pretty simple.
    Some places may still want profile information (say, for instance, social networks) :D.
blog comments powered by Disqus