Tuesday, October 06, 2009
Is there a future for OpenID?Johannes Ernst, one of the founders of OpenID (and the OpenID Foundation) has just posted a thought provoking piece about the present state - and the future - of that protocol ("Is OpenID Still User-Centric?")
I've pointed out before the problems between the OpenID evangelists (typically folks who do their own implementations, support open source projects and bemoan corporate or commercial involvement) and the major web organizations (Google, Yahoo!, Microsoft, Facebook, et al) who have adapted OpenID to their own purposes.
This is the often unspoken but nevertheless almost inevitable path that any successful open source project follows.
Perhaps it's time to truly fork the project. Let the "big boys" continue on with their "NASCAR billboards", PKI and whatever other baggage they want to heap on top of the simple protocol. Let the open source evangelists take the simplicity that was OpenID 1.1 and re-style it to it's original purpose - locking in the development stream so that the aggrandizement can't happen again. It's not too late, and the upcoming IIW would be a good place to talk about it.
Sunday, August 10, 2008
"We have met the enemy..."OpenID's leading lights appear to be down on the technology, it seems. After last week's note about Dick Hardt's seemingly wistful look at OpenID ("...one wonders if the identity opportunities of OpenID have passed.") comes today's note from Scott Kveton (chair of the OpenID Foundation board). Reacting to a Randy Stross' New York Times piece highly critical of OpenID, Kveton says: "The OpenID community has identified two key issues it needs to address in 2008 that Randy mentioned in his column; security and usability."
If usability is bad (and the discussions on the OpenID email discussion lists support that notion), and security is a problem - what, exactly, does it have going for it?
Is it, perhaps, time for the leading lights to move on to a user-centered technology which does show promise of being an identity provider that is very usable and also quite secure? As Mr. McGuire might have said to Ben in The Graduate:
Mr. McGuire: I just want to say one word to you - just one word.
Or, as Eddie said to Saffie: Just put me through to Zermatt!
Thursday, July 31, 2008
OpenID - the denoument?There's been much agitation for Facebook to join the likes of MySpace and Yahoo! in the OpenID community. But when Facebook recently announced it's "Connect" service (a service to port ID information among various web sites), without a link to OpenID, much angst was experienced in that vocal group of supporters of the open source identity protocol. In particular, Sxip's Dick Hardt - one of the co-founders of the OpenID Foundation - mused about the future of so-called "user-centric" identity. Earlier (in "Facebook Connect - fatal blow for OpenID?") Hadt said: "Given the momentum and immediate value of a Facebook identity system and the lack of OpenID RP deployment, one wonders if the identity opportunities of OpenID have passed."
Other co-founders (Johannes Ernst, David Recordon) tried (with smoke, mirrors and whistling in the dark) to refute Hardt but, in my opinion, failed miserably. OpenID is a victim of its own early success. Too many people, with too many conflicting agendas signed on in the hope of designing OpenID in their image. From the early fights over iNames through the querulous (and tedious) fights about Attribute Exchange, security and other aspects of a mature identity protocol there was resistance from the majority of the developer base who really only wanted an easy way to login to blogs. Nothing wrong with that. A simple, somewhat reliable way to ease the authentication process for blog comments while fending off robots and spammers is a worthy goal.
Perhaps this is the time for the visionaries within the OpenID community, those who have the vision of what a full-fledged open-source identity protocol should be, to bow out of that movement and form another one. Or, perhaps put their time and energy behind an existing movement such as the Bandit Project's DigitalME initiative. They could even create an STS (Security Token Service) to bridge OpenID and the InfoCard system so that they could be "true to their roots."
OpenID, it seems, is never going to be a secure, robust, full-featured identity system so let's stop pretending that it can be. Let it be what it is and let's move on.
Monday, July 07, 2008
A clueless manifestoA big tip o'the hat to Jeff Bohren for drawing my attention to this note from Alex Karasulu of the ApacheDS project. Now remember, he's working on a Directory Server project. Yet he says:
The VD [Virtual Directory] implementations of today like Penrose, are just hacks without a formal computational basis to them. People trying to get a product to market rapidly to sell a company. We intend to enable virtualization eventually with a solid footing in the LDAP administrative model using this concept of a view. Views, as well as triggers/SPs will enable new ways to easily solve the problems encountered in the identity space. As a teaser just think what could be done in the provisioning space if AD supported triggers? Real technology will yield solid reliable solutions instead of these band aids we’re seeing during this identity gold rush.Too bad he's not aware of Radiant Logic, Symlabs and the Oracle (nee OctetString) virtual directories - all of which have been around longer than ApacheDS and all of which support triggering mechanisms either through straight SQL or through policy implementations. They're pretty good with "views," also. I'm still looking for that "trigger" mechanism in the LDAP model!
Monday, August 27, 2007
Open source vaults?Someone who styles himself "Ant" has posted a note which, while not adding anything really new to the "portable identity" debate still is important if only to show what an intelligent, if not totally informed, user might be thinking. And I certainly can't disagree when he says:
"I believe collectively we're searching for a repository for the many facets of my digital ID, constructed with an open standard. A database and application that lives on my own server with an API that allows organizations and companies to access the sets of information about me that I explicitly allow. This information doesn't get stored by these organizations or companies, because its mine. They can access it whenever they need it, but I manage it and can cut them off whenever I choose. I want my identity under my control and not in the hands of corporations and organizations who may or may not be obliged to do the right thing with it."
But - and it's a big but - I have to shake my head at comments such as "my personal data is not for a corporation to charge me for the right to use." Yeah. And we'll have open source public data vaults right about the time we have free and open banks! (and I'd trust them just as little...)
Wednesday, January 03, 2007
OSSSORakesh has posted a thorough listing of open source Simplified Signon (SSO) systems, projects and tools ( Open Source Identity Systems for SSO) - well worth noting, reviewing and implementing.
© 2003-2006 The Virtual Quill, All Rights Reserved Home