The OpenID Era Opens

By Larry Seltzer  |  Posted 2007-02-20 Print this article Print

Opinion: The industry is getting excited about this new identity standard, but it's evolving at a rapid rate before our eyes.

If you havent used OpenID yet you probably will soon. This new open standard for identity exchange on the Internet is picking up support from all over the place, and appears unstoppable in the blogosphere. AOL is the latest large company to announce support for OpenID, and its a smart move for them, making your AOL login useful wherever you go. Before that we had Microsoft and Symantec announcing support.

Microsofts support looks serious, especially in as much as its implementation is a good example of how to address security deficiencies in OpenID. And the deficiencies in the early versions of OpenID are serious.

OpenID is an identification system that allows anyone with a Web server to be an identity provider. The identities are URLs, like "" When logging a user in a site, the RP (Relying Party) redirects the user and their openid URL to the site that provided it ( in the example). That site, the IP or Identity Provider (also known some places as an OP, although Im not sure why), authenticates the user and returns an authentication token to the RP. If the two have never communicated before, there are some additional communications at this point. Here is the official list of OpenID identity providers and here is a list of services that support OpenID.

The official announcement from Microsoft was joined by
JanRain (a software company providing OpenID solutions, including popular libraries), Sxip (who has made contributions to the OpenID 2.0 specification to improve extensibility) and VeriSign, an early pioneer in OpenID and an identity provider themselves.

The companies announced their intention to collaborate on integrating OpenID into Windows CardSpace. CardSpace, like OpenID, is an identity metasystem based on SOAP (Simple Object Access Protocol, an XML-based standard for procedure calls), XML and Web service standards including WS-Security, WS-Trust, WS-MetadataExchange, and WS-SecurityPolicy. CardSpace also includes a GUI to allow users to choose among multiple identities, known as Information Cards.

The official announcement made several points:
  • OpenID will be extended to allow relying parties to request and be informed of the use of phishing-resistant credentials.
  • Microsoft recognized the growth of the OpenID community and the important role played by that community in the development of an Internet identity infrastructure. Microsoft agreed to work with the OpenID community in this development and on authentication and anti-phishing.
  • JanRain, Sxip and VeriSign recognized that CardSpace provides significant anti-phishing, privacy and convenience benefits to users.
  • JanRain and Sxip will add support for the Information Cards to their OpenID code bases. This will bring the same support to blogs and other Web sites that use their popular libraries. Although, as the CEO of JanRain points out, they will not require such support from their users.
  • Microsoft plans to support OpenID in future Identity server products.
  • The four companies will work together to create a "Using Information Cards with OpenID" profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Next page: Authentication vs. Trust

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel