OpenID: Single Sign On for the Web?

Web users are schizophrenic, and not by choice: They possess multiple identities to access sometimes dozens of online resources, but juggling those username/password combos is burdensome, time consuming and often a slippery slope to insecure practices. Who hasn't seen monitors adorned with Post-It Notes full of tasty data?

The OpenID Foundation wants to change that. On the user side, its community-developed system aims to let users create a single identity for signing in to an unlimited number of Web sites, relieving them of the need to maintain a variety of IDs and passwords. The OpenID framework also lets users control which identity attributes, such as e-mail, date of birth and so on, can be shared with a given site. OpenID may also appeal to Web site owners looking to cultivate large user communities. To that end, the foundation has designed its specification to be simple and inexpensive to deploy.

So what is an OpenID? It's a URL that a user enters into the log-in field when accessing a Web site. The framework provides the cryptographic underpinnings to prove that a user owns the URL she's logging in with. The OpenID specification, now available in a 2.0 draft version, has attracted an impressive list of supporters, including Microsoft, VeriSign and AOL.

However, OpenID isn't quite ready to change the world. Only a tiny fraction of Web sites—mostly blogs—actually accept OpenID credentials. Also, self-assigned IDs, which OpenID employs, are simply unsuitable for high-value e-commerce transactions. To that end, OpenID developers are working with other authentication frameworks, such as Microsoft's Windows CardSpace and the Liberty Alliance specifications, to create an identity infrastructure that allows users to move among identity systems and ratchet up authentication and assertion measures as necessary.Still, IT should pay attention: Support for OpenID comes at very low risk or commitment of resources, and companies that get in on the ground floor can benefit from organic growth.

Keep It Simple

Two major principles of OpenID, which was created by Brad Fitzpatrick, developer of LiveJournal blogging software, are simplicity and decentralization. When a user logs in to a site that supports OpenID, that site checks with a third-party server to confirm that the user owns the URL. Anyone who owns a server connected to the Internet can create his or her own identity and provide identity services for others. Such decentralization is intended to foster adoption because anyone can create or accept identities without having to get permission from a monolithic controlling entity.

Users who don't want to set up their own servers can obtain an OpenID from brand-name Internet companies. For instance, AOL now issues OpenID credentials to all its subscribers, and VeriSign's Personal Identity Provider, a free service that supplies users with online identities, supports OpenID. Smaller providers such as Get OpenID and MyOpenID also create identities for users. In addition, Microsoft has promised to support OpenID in its future identity services, and the Liberty Alliance is working on interoperability issues.

Sounds great, right? Problem is, OpenID isn't widely supported. As of press time, the Web site OpenIDDirectory.com lists just 295 sites that support the spec. While several, such as Technorati.com and LiveJournal, are high-profile, the majority are small fry.Why, then, so much attention on such a small framework? As mentioned, a major component is its decentralized nature. Because no organizational body "owns" OpenID, major players can implement its specifications any way they like and add their own authentication mechanisms. OpenID also has low integration costs because the software is free, and there's a growing community of open-source developers ready to add features and functionality.

In addition, Web 2.0 sites thrive on user participation—owners hoping to stimulate active communities know they need to make it as easy as possible to access and consume resources. A common identity system also relieves Web sites of the burden of managing user identities, including dealing with forgotten passwords.

How It Works

OpenID 2.0 has three basic elements: a user with a Web browser (User Agent); a Relying Party (the Web site the user wants to log in to); and an OpenID Provider, which asserts that the user owns a particular URL. The OpenID Provider may also possess a variety of identity elements, such as a user's name, date of birth, e-mail address and so on (see diagram, //TK location//). When a User Agent signs in to a Web site with an Identifier (a URL), the Relying Party contacts the OpenID Provider for an assertion that the user owns the Identifier. Messages are exchanged using HTTP Post and Get. OpenID relies on Diffie-Hellman key exchange for the Relying Party and OpenID Provider to negotiate a shared secret to sign communications.

When a Relying Party contacts the OpenID Provider, the OpenID Provider asks the user to authenticate, and then confirms which identity information it should send to the Relying Party. If the user consents to provide the identity elements requested by the Relying Party, the OpenID Provider sends them. The Relying Party processes the elements, and the user is logged in.If the user is already authenticated to the OpenID Provider, the OpenID Provider will skip its own authentication request to the user.

The biggest change from the OpenID 1.1 specification to Version 2.0 is the system's ability to accept an XRI (Extensible Resource Identifier). XRI is an OASIS standard that's similar to a URL but better suited for Web services and XML environments.

Friends of OpenID

OpenID isn't the only effort aimed at solving the online identity crisis. Other initiatives, such as Windows CardSpace and the Bandit Project, are competing for mindshare among developers and users.

A major goal of CardSpace is to replace username/password log ins as a way to access Web properties, thus thwarting phishing sites set up to steal such information. CardSpace doesn't do away with multiple online identities. Instead, it makes it easier for users to manage those identities.Using CardSpace software, a user controls a set of identities called Information Cards. Information Cards can be self-issued by users or downloaded from identity providers, such as credit card companies or government agencies. When a Web site requests a user's credentials, instead of entering a username and password, the user can choose the appropriate Information Card to present to the site. CardSpace then retrieves credentials from the identity provider and passes them to the Web site. For instance, a self-issued Information Card may be sufficient to log in to a blog site to post a comment, while an Information Card issued by a credit-card provider would be needed to make a purchase from an e-commerce site.

For users, Windows CardSpace capabilities are built into the Vista OS and can also be run on Windows XP. It works automatically with IE 7, while Firefox users must download an extension. Behind the scenes, CardSpace uses a variety of WS -* specifications, including WS-Trust and WS-SecurityPolicy.

This spring, Bill Gates announced that Microsoft would cooperate with the OpenID Foundation. This means both entities will work together to help third-party developers and service providers use both CardSpace Information Cards and OpenID. For instance, JanRain and Sxip, which offer open-source blogging and Web site code libraries, will add support for Information Cards in their OpenID code bases. Microsoft has also pledged to support OpenID in future products.

In addition, OpenID has been extended to support more robust authentication mechanisms, which was a key concern for Microsoft. The extension to the OpenID specification lets Relying Parties indicate authentication preferences, such as the use of phishing-resistant identity credentials, and lets Identity Providers help users meet those preferences, a capability that Microsoft wanted in the spec.

Of course, people get nervous when Microsoft embraces a technology. But David Recordon, a lead developer of OpenID and innovator for advanced products and research at VeriSign, is sanguine; he cites a good working relationship with Microsoft's identity team over the past two years.Another identity framework gathering traction is the Bandit Project. Sponsored by Novell, the Bandit Project aims to promote interoperability among identity systems using standard protocols and open-source software. The Bandit Project's DigitalMe software promotes the use of Information Cards outside of the Microsoft platform, such as with Firefox and open-source software, like SuSE Linux.

At present, there aren't any formal links between OpenID and the Bandit Project, though some kind of interoperability seems likely in the future.

Bottom line, something must change. Identity issues have plagued computing since its inception, and as the Web expands into more facets of life and commerce, those problems will only grow more severe. Projects such as OpenID recognize that users will have multiple identities and that Web sites will require a variety of credentials that will change depending on the nature of the transaction. So rather than force Web users and Web sites to conform to a single identity system, the OpenID Foundation wants to help both users and Web sites better manage identities in an open, decentralized manner while providing users with a measure of control over which identity elements they provide to Web sites.

Andrew Conry-Murray is New Products Editor at Network Computing and InformationWeek. Write to him at [email protected].