IIW 2005: Brad Fitzpatrick on OpenID


OpenID is similar to LID in that URLs are used for identifiers. Identity URLs can be static web pages so there's a low barrier to entry. Also, no SSL is required, nor is a browser plugin. OpenID is simply a way to prove you own a URL.

OpenID can be stateful or stateless. Stateful access is faster, but requires more infrastructure to support.

When you grab a URL, the URL has a way of saying who the identity server is (in the <link/> tag). The identity server provides a way for the person claiming the URL to prove (i.e. a password) that they are the person who owns the URL. Delegation happens on the page associated with the URL, rather than on the server.

OpenID isn't a trust system, a solution for all identity problems, of perfectly secure. There's no associated data in the protocol itself. This is susceptible to man-in-the-middle attacks and DNS spoofing.