The OpenID Era Opens

Opinion: The industry is getting excited about this new identity standard, but it's evolving at a rapid rate before our eyes.

If you havent used OpenID yet you probably will soon. This new open standard for identity exchange on the Internet is picking up support from all over the place, and appears unstoppable in the blogosphere.

AOL is the latest large company to announce support for OpenID, and its a smart move for them, making your AOL login useful wherever you go. Before that we had Microsoft and Symantec announcing support.

Microsofts support looks serious, especially in as much as its implementation is a good example of how to address security deficiencies in OpenID. And the deficiencies in the early versions of OpenID are serious.


OpenID is an identification system that allows anyone with a Web server to be an identity provider. The identities are URLs, like "" When logging a user in a site, the RP (Relying Party) redirects the user and their openid URL to the site that provided it ( in the example). That site, the IP or Identity Provider (also known some places as an OP, although Im not sure why), authenticates the user and returns an authentication token to the RP. If the two have never communicated before, there are some additional communications at this point. Here is the official list of OpenID identity providers and here is a list of services that support OpenID.

The official announcement from Microsoft was joined by JanRain (a software company providing OpenID solutions, including popular libraries), Sxip (who has made contributions to the OpenID 2.0 specification to improve extensibility) and VeriSign, an early pioneer in OpenID and an identity provider themselves.

The companies announced their intention to collaborate on integrating OpenID into Windows CardSpace. CardSpace, like OpenID, is an identity metasystem based on SOAP (Simple Object Access Protocol, an XML-based standard for procedure calls), XML and Web service standards including WS-Security, WS-Trust, WS-MetadataExchange, and WS-SecurityPolicy. CardSpace also includes a GUI to allow users to choose among multiple identities, known as Information Cards.

The official announcement made several points:

  • OpenID will be extended to allow relying parties to request and be informed of the use of phishing-resistant credentials.
  • Microsoft recognized the growth of the OpenID community and the important role played by that community in the development of an Internet identity infrastructure. Microsoft agreed to work with the OpenID community in this development and on authentication and anti-phishing.
  • JanRain, Sxip and VeriSign recognized that CardSpace provides significant anti-phishing, privacy and convenience benefits to users.
  • JanRain and Sxip will add support for the Information Cards to their OpenID code bases. This will bring the same support to blogs and other Web sites that use their popular libraries. Although, as the CEO of JanRain points out, they will not require such support from their users.
  • Microsoft plans to support OpenID in future Identity server products.
  • The four companies will work together to create a "Using Information Cards with OpenID" profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

Next page: Authentication vs. Trust