OpenID: Why It is Completely Wrong and Why It Should Be Used Anyways

Jeremy Smith

Case Western Reserve University

What is OpenID?

What is OpenID?

• Enables you to logon to a web site using credentials from another web site

Logging onto Wikitravel.org ➜

Redirect to case.edu for Authentication ➜

Authorize Information Release to Wikitravel.org ➜

Finish Wikitravel.org Registration ➜

Where Could OpenID Prove Useful?

• Facebook
• 

Where Could OpenID Prove Useful?

• Facebook
• 

Where Could OpenID Prove Useful?

• Facebook
• 

Where Could OpenID Prove Useful?

• Facebook
• Hosted web apps
  • a.k.a. "Software as a Service" or "SaaS"
• 
  • Nobody wants to have to (or remembers to) disable auxiliary accounts

Where OpenID Fails

• There is no verification that the data accompanying a user is valid (no trust)
• 

Where OpenID Fails

• There is no verification that the data accompanying a user is valid (no trust)
• No mechanism to keep information up to date
• 

Where OpenID Fails

• There is no verification that the data accompanying a user is valid (no trust)
• No mechanism to keep information up to date
• Won't stop spammers
• Provides no method for authorization
• Eminently phishable
  • 

OpenID Will Ultimately Work

• It's the simplest possible solution that does work
• OpenID will be part of an ecosystem of authentication, authorization, and security-minded protocols
• "A complex system that works is invariably found to have evolved from a simple system that worked."

OpenID Will Ultimately Work

• What happened to other "cross-domain" authentication protocols?
  • Liberty Alliance
  • Shibboleth/SAML
  • MS Passport

OpenID Will Ultimately Work

• What happened to other "cross-domain" authentication protocols?
  • Liberty Alliance
  • Shibboleth/SAML
  • MS Passport Hailstorm

OpenID Will Ultimately Work

• What happened to other "cross-domain" authentication protocols?
  • Liberty Alliance
  • Shibboleth/SAML
  • MS Passport Hailstorm Windows Live ID

OpenID Will Ultimately Work

• What happened to other "cross-domain" authentication protocols?
  • Liberty Alliance
  • Shibboleth/SAML
  • MS Passport Hailstorm Windows Live ID
• Your average Joe programmer-guy who owns his own domain couldn't set any of those up (easily)
  • http://phpmyid.com/
• OpenID is emergent; not top down; grassroots support; growing

You Can't Fight the Internet

Thank You

• Presentation available online at http://blog.case.edu/jeremy.smith/presentations/2008/05/openid