OpenID Economics Centers on Relying Parties


OpenID Logo

Tim Bray has written a post saying that OpenID seems pretty useless and then points out some problems and possible solutions. The ironic thing is I can't argue with many of his points, but come to a very different conclusion.

I don't intend to respond point by point. He's spot on, for example, in what he says about TLS. While the OpenID spec tries to stay away from specific authentication mechanisms and has been subjected to considerable security analysis over the months, there's not reason not to require HTTP transport happen over TLS. In practice, however, I doubt any serious OpenID identity providers (IdPs) wouldn't use TLS.

That leads to the primary point. While it's true that anyone can throw up an OpenID server and start offering IdP services (Tim's "what's it mean" point), I think we'll see a limited set of trusted IdPs in practice. After all, AOL offers it now. If a few more of the big players offered with their services (come on, Yahoo! and Google), everyone on the 'Net would have an OpenID from a trustworthy IdP.

A few big players would be sufficient since what OpenID provides is authentication. Simple, plain-old authentication. When you accept an OpenID as a relying party, all you know is that the IdP is saying that the person in control of the password for that OpenID entered at their site. So, as long as you trust the IdP to verify the identity of the user, that's all you need.

What's the value? Just that. I don't have to do authentication and mess with password reset, and so on. If I were building a Web applications today, I'd certainly allow OpenID authentication and might even consider only accepting OpenID. There's not much time savings at build time, but it cuts the operational complexity. You still have to associate attributes with that identity and build authorizations around it.

OpenID 1.0 doesn't include attribute exchange, but OpenID 2.0 does. With attribute exchange, I might start caring which OpenID provider someone uses even more. Amazon might be able to send me attributes (with the user's permission) that Google can't. As a relying party, I might get more picky based on what I need to know.

Much of the talk is about user convenience and "single sign-on" (SSO) but that's not what will drive OpenID acceptance and use. For that to happen relying parties have to see value in (a) account management simplicity and (b) attribute exchange. The first is a reality today, the second will come.

With attribute exchange, some niche OpenID providers are likely to spin up based on specific attributes or features. But wait, if I've got multiple OpenIDs and IdPs, doesn't the negate the SSO value? Yes, but for the announcement that OpenID will interoperate with CardSpace. Now, I can have multiple OpenIDs and manage them in my card selector from my desktop, choosing which to send based on what I want to reveal and what the replying party needs.

So, I don't think OpenID is useless. To the contrary, I think there's real value to relying parties now and more to come.