Its been an busy week in the world of OpenID. On Friday Ben Laurie announced a security vulnerability around OpenID that relates to existing problems with DNS and certain SSL certificates. Discussions on the OpenID General mailing list have been fruitful and the major OpenID providers out there today have disclosed that they are either not vulnerable or patching quickly. It should also be noted that none of the providers listed at openid.net/get were ever vulnerable to this attack.
One of the greatest parts of the OpenID community is that the people developing this technology react so quickly to problems that inevitably arise. There is no such thing as 100% secure with anything on the Internet but we can (and have) put measures into place to react quickly as a community when issues like this occur.
OpenID has two challenges it faces to increase adoption and use; security and usability. This afternoon, Randall Stross of the New York Times published his “Digital Domain” column criticizing OpenID on both of these points. Its great to see people looking at security with regards to OpenID and asking the hard questions and it also highlights a few common misconceptions:
- Authentication is out of scope for OpenID: Because there is no silver bullet for security, the way you authenticate your OpenID is actually out-of-scope of the protocol. As such, you can use whatever level of security you want to protect your OpenID. We have seen vendors offer unique solutions like Verisign’s VIP, JanRain’s CallVerifID and Vidoop’s ImageShield created to provide alternatives to passwords for authenticating users’ OpenID’s. OpenID allows companies both large and small to experiment with ways to authenticate their users without requiring buy-in from sites across the Internet.
- Information Cards solve a different problem than OpenID’s: In his article, Randall mentions how Information Cards are more superior in terms of authentication compared to OpenID. In actuality, you can use an Information Card to secure your OpenID if you want and there has been a lot of work on this within the OpenID community. VeriSign’s OpenID provider even supports Information Cards in addition to token based authentication. Information Cards provide the means to securely authenticate you assuming you have the technology installed on your machine. In addition, Information Cards lack the ability to take advantage of one of OpenID’s main strengths, the destination or URL that a user has proved they own. The potential for this end-point for services is limitless and may serve as one of the key components driving OpenID use; the ability to move data from somewhere on the Internet that you have proved you own.
- Nobody is really adopting OpenID: I’m always surprised to hear people say that just because the big players are only OpenID providers (and not consumers) that we’re failing here. I always try to remind people that this technology is only three years old and we’ve made tremendous strides since its inception. Not only that, the latest graphs continue to show hyperbolic growth. These things take time and again, security and usability will be key drivers to OpenID adoption moving forward.
I’m excited to see a lot of interesting efforts from the community to help with usability. Tom from Barnraiser.org has been doing a series of articles that describe some of these usability issues. We’ve seen community efforts such as Email Address to URL Translation, which allows users to enter their email addresses instead of URL’s and Identity in the Browser (IDIB) which is hoping to bake OpenID functionality (and increased security) into all of the modern browsers.
On the security front, we’re seeing traction in the development of the OpenID Provider Authentication Policy Extension (PAPE) which will help sites be able to determine which providers they will trust based on the means of authentication the user has used to get access. Both Sxip and JanRain have implemented early prototypes of PAPE on their OpenID providers.
We’ve got a long way to go here with OpenID and getting it to a point where it can stand in the face of criticism but I’m confident of this community that has come together through the first three years to get where we are today. I still firmly believe the best is yet to come.