[Log In] []

Exploring the science and magic of Identity and Access Management
Friday, March 29, 2024
 

OpenID Credibility: Harry and Bess Truman

Identity
Author: Mark Dixon
Tuesday, June 12, 2007
2:05 pm

In the past few days, I have been exploring the OpenID community a bit. It has become apparent that all OpenID identifiers aren’t equal and many don’t bring a great deal of credibility to the table.

I visited MyOpenID.com and was issued an identifier for Harry Truman: http://harrytruman.openid.com. No validation, no verification of Harry’s real Identity. I just plugged in President Harry Truman’s birthday and home town. I did use my own personal email address, but it wasn’t even validated at the time.

Armed with my new bogus identifier, I marched over to Jyte.com and made a couple of claims: The Buck Stops Here and I Love Bess.

These claims didn’t generate much interest. Both visitors agreed that the buck stopped with Harry, but neither thought Harry loved Bess.

The real point has nothing to how much Harry Truman loved his wife. It just illustrates that with current infrastructure at least, OpenID identifiers lack much market credibility. Neither MyOpenID.com or Sxipper.com knew who I was when they issued me a personal identifier. At least OpenID.Sun.com validated that I held current valid Sun login credentials.

A relying party site would still need to independently validate my email address or my ability to pay for something. Perhaps this makes a good case that identity providers need to be enterprises where users have already established trusting relationships (e.g. banks, credit card companies, telephone service providers). They could actually vouch for commerce worthiness and actual identity.

They would probably even know that Harry Truman has been dead for 34 years

Technorati Tags: ,
,
,

 

7 Responses to “OpenID Credibility: Harry and Bess Truman”

    But Mark, OpenID makes no claim to verified identity – just that every time the same openID is used it’s the same person. Or something like that. But there’s no attempt to actually identify the person.

    Comment by Dave Kearns on June 12, 2007 at 10:03 pm

    Mark, you are completely missing the idea of user-centric identity and that the Sun OpenID system is overloading the identifier with a meaning that is specific to sun.com.

    Comment by Dick Hardt on June 12, 2007 at 11:02 pm

    Dave, Dick:

    Thanks for stopping by. I realize that OpenID doesn’t make a claim about verified Identity. That is my point.

    OpenID is useful for those types of interactions where the relying party doesn’t need to know who I am or if I have ability to pay. There are certainly several cases where that is completely valid.

    However, when financial transactions are involved, an Identity system that does make claim to verified Identity is essential – at least to the point that the “commercial worthiness” of the user can be established.

    It seems to me that as the value of online transactions increase, the level of trust between relying party and user must increase commensurately. An Identity system must accommodate that requirement for increased trust.

    I recognize that OpenID.sun.com has injected more meaning into their OpenID identifier. That may be pushing the envelope on what OpenID was originally intended to be used for. To that extent, maybe Sun’s most valuable contribution to the OpenID market is to stimulate discussion about the value of the entire OpenID system.

    Maybe Bank of America or Visa or AT&T should push the envelope further to issue validated identifiers in order to make OpenID commercially viable.

    Thanks for the dialog.

    Mark

    Comment by Mark Dixon on June 13, 2007 at 1:52 am

    There are likely hundreds of attributes about you that 3rd parties may be authoritative about you. The identifier should not have the attribute overloaded to represent the attribute. Instead, a SAML or similar assertion can be made about the identifier by the authority. The user proves they are an OpenID, and then provides a claim that the OpenID has a particular attribute.
    OpenID Attribute Exchange lays for foundation for doing this.

    Comment by Dick Hardt on June 13, 2007 at 6:03 am

    {well said dad, well said.}
    oh, and ps: i like green better too! thanks for the reassurance o’ color change! have a happy day!
    love you!
    oh, and pss: i really like that i have to do a simple math question to comment on your blog. it’s fun {except when i’m wrong}! ha! i want that on my blog!

    Comment by Anonymous on June 13, 2007 at 11:16 am

    psss: i just changed the green to pink & i like it even better! {of course, it’s pink!}

    Comment by ang on June 13, 2007 at 11:44 am

    Dick:

    Thanks for your insights and explanation of the role of OpenID Attribute Exchange.

    Do you have a public prototype, perhaps with Sxipper.com, where this OpenID Attribute Exchange is used to exchange identity attributes between an OP and RP?

    Thanks,

    Mark

    Comment by Mark Dixon on June 14, 2007 at 11:22 am

Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.