thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Tuesday, April 03, 2007

OpenID - next big thing with lots of problems

OpenID is becoming the standard for decentralized identity management and single-sign-on, this was clear after Microsoft announced they would make it interoperable with CardSpace. A short while ago OpenID even made it to the the mainstream press when it was featured on the front page of USA Today's business section. I have looked into it a bit closer now, and I just can say it sucks.
  • Your identity provider is able to track all websites you log into. They even tell you it's a feature. User profiling made easy! This reminds me of the data retention plan in Europe, but here it is done voluntarily. Try to think of what can happen if this data falls into the wrong hands?

  • You have a unique identifyer (your OpenID uri) for all relying parties, so you can't choose between different cards or identites for different sites. Cross-sites profiling made easy!

  • The latter of course can be worked around if you use many different IDs. But then you run into the usability problems that OpenID was meant to overcome in the first place - having to remember several logins, passwords and so on. The relation between usability and traceability seems to be proportional : If you have only one OpenID, usability is high, but traceability is equally high. If you have many different OpenIDs, you can not be traced across sites, but usability also goes down the drain!

  • It is open to the very easy kitten-phishing attack, and eavesdropping is no problem, as the identity tokens are posted through the http "post" command. Who in Web2.0 uses https?
Compared to Microsoft's InfoCard/CardSpace, this is an interesting example of how a big evil monopolist was outfoxed by the crowd / web2.0 community, though the former had the better product and the crowd was naive in believing their A-bloggers. I will be speaking about digital ID management on a few occasions in the coming weeks (here and here), and I look forward to interesting discussions.

Latest news: There is already a campaign against openID in Germany:

The text on the banner means "For Security: OpenID - No, thanks! For Independence". Interesting how some people have understood the surveillance infrastructure that is building up here. Remember Lawrence Lessig: A system of perfect identity is a system of perfect control.

Update, 24 May 2007: The campaign has been taken offline. I am hosting the logo here now for documentation.


Anonymous Anonymous said...

Das kannst du auch gerne mal in deutsch bloggen.

4/4/07 11:22

Anonymous Anonymous said...

Have you ever tried to build your own openID server? I heard its quite easy.
Of course there is a trade of between the number of IDs you use and the usability. But isn't it possible to build up different identities with different reputation?

13/4/07 20:59

Anonymous Anonymous said...

In lieu of a trackback:

PS: Isn't it ironic that I could use my all-cookie-ing Google identity to post here? :)

30/4/07 20:20

Anonymous Anonymous said...

I share your concern about how OpenID is currently intended to be used. As such, your comments are both timely and noted.
However, I definitively see a model of interaction with OpenID (and other identity systems) that will *allow* privacy to be maintained. The ultimate goal however should be to utilize federation to separate data.
OpenID can play a role in this context as a piece in the federation. Obviously, you would not necessarily want to fill the default attributes for OpenID (name, DOB, etc.) with real values.
Please let me know if you are interested in more discussions.

8/5/07 02:44

Anonymous Anonymous said...

that's the exact reason i run my own OpenID server though i still have my verisign account for those blogs/sites that i don't want to use my own domain as uri.
any time soon ill try to post how i able to install a relatively painless OpenID server.

12/6/07 05:19

Anonymous Anonymous said...

I know this is late, but I want to respond to people who arrive from Google:

Yes, you can run your own provider, just as you could use a password manager! If you install a Provider on your computer you loose the only advantage OpenID had over password managers: using it on all computers without carrying an USB pen with passwords.

It would be more "secure" agaisnt automatic cross-site logging to use a password based on the site URL (like "") than trusting an OpenID provider.

OpenID? No, thank you.

16/1/09 03:03


Post a Comment

<< Home