OpenID - next big thing with lots of problems
OpenID is becoming the standard for decentralized identity management and single-sign-on, this was clear after Microsoft announced they would make it interoperable with CardSpace. A short while ago OpenID even made it to the the mainstream press when it was featured on the front page of USA Today's business section. I have looked into it a bit closer now, and I just can say it sucks.
- Your identity provider is able to track all websites you log into. They even tell you it's a feature. User profiling made easy! This reminds me of the data retention plan in Europe, but here it is done voluntarily. Try to think of what can happen if this data falls into the wrong hands?
- You have a unique identifyer (your OpenID uri) for all relying parties, so you can't choose between different cards or identites for different sites. Cross-sites profiling made easy!
- The latter of course can be worked around if you use many different IDs. But then you run into the usability problems that OpenID was meant to overcome in the first place - having to remember several logins, passwords and so on. The relation between usability and traceability seems to be proportional : If you have only one OpenID, usability is high, but traceability is equally high. If you have many different OpenIDs, you can not be traced across sites, but usability also goes down the drain!
- It is open to the very easy kitten-phishing attack, and eavesdropping is no problem, as the identity tokens are posted through the http "post" command. Who in Web2.0 uses https?
Latest news: There is already a campaign against openID in Germany:
The text on the banner means "For Security: OpenID - No, thanks! For Independence". Interesting how some people have understood the surveillance infrastructure that is building up here. Remember Lawrence Lessig: A system of perfect identity is a system of perfect control.
Update, 24 May 2007: The campaign has been taken offline. I am hosting the logo here now for documentation.