Not So OpenID

A lot of attention is being paid AOL’s announcement that they will support OpenID, but only from a select White List of providers. Ashish Jain has his thoughts here and relates his experiences trying to get added as a provider.

Kim Cameron offers his thoughts here, and thinks that AOL and other sites should allow any OpenID provider in order to drive traffic. He makes the distinction between credentials and accounts and makes a great point:

Credentials should be seen as a cost center, and accounts as a profit center.

The common thread here is the recognition that there are currently a lot more OpenID providers than relying parties. Most OpenID relying parties are only leveraging OpenID for relatively low sensitivity things like enabling blog comments. It seems that the few that are allowing OpenID authentication to important accounts are using a white list approach like AOL.

Now why is that? The main reason is probably the perceived business case that most of these posts mention. Most of these sites want to be driving the identity experience. The perception is that the site that serves as the launch pad for the rest of the user’s browsing controls their destiny.

But there is another issue at play here as well, and that is the perception of asymmetric risk.

I want to use an analogy that may get me into trouble, but bear with me. OpenID without white lists is what I call a promiscuous trust system. By default OpenID trusts everyone. In other words, it sleeps around a lot.

Now image a population in which there existed a sexually transmitted disease for which the transmission from male to female was far easier than the transmission from female to male. Obviously there would need to be some transmission risk in all cases or the disease would die out, but image that the risk is very asymmetrical. In this scenario, it’s much less risky to sleep around if you are a male than a female. Now compare this to OpenID.

In OpenID, there is very little perceived risk in being a provider. If a user compromises your site and uses your site to authenticate to a relying party as someone else, there is really very little consequence to you. After all you don’t have any agreements with any specific relying parties. Why not be a provider, if there is so little risk involved?

Being a relying party however is a different matter. If someone compromises a provider and falsely authenticates to your relying party, they are misusing someone’s resources. The sensitivity of these resources would make the difference between allowing unrestricted OpenID or white list controlled OpenID.

(Mirrored from TalkBMC)


2 responses to “Not So OpenID

  1. I don’t quite understand the assymmetry of the risk.

    “In OpenID, there is very little perceived risk in being a provider. If a user compromises your site and uses your site to authenticate to a relying party as someone else, there is really very little consequence to you.”

    I certainly understand how the Relying Party faces the greater immediate risk, however the Identity Provider in being compromised, will have lost the trust of the RP resulting in the RP switching to another ID Provider.

    Doesn’t this suggest that establishing trustworthy RP relationships will be key to be a successful Identity provider?

  2. As has been stated before, OpenID doesn’t deal with risk. Nor does it deal with phishing. Yet both of these issues are real issues that IDPs and relying parties must contend with.

    AOL’s approach is safe, but somewhat boring. I mean, why not try to go totally open and see how it goes? If things don’t turn out so well or AOL is inundated with spam or false requests, they can adjust… or better yet, develop an Akismet style list of abusive IDPs that they can sell access to…

    I know that there’s a lot of politics in here, but I really think that AOL could show some leadership here and really embrace openness. Isn’t that what AOL Open is all about?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s