OpenID Thoughts

Trust (using the word here in a broad, abstract way) has been one of the strongest reason for the OpenID adoption. The spec does not require for OPs and RPs to get together and discuss key exchange, business value, liability issues, attribute data and so forth. OPs and RPs work independently of each other and as long as they adhere to the core specification, things just work.

Trust has also been one of most critiqued area of OpenID. As an RP, why should I outsource my user authentication to someone I have never even interacted. Call me crazy but I don’t feel like accepting users from Iwillstealyourusers.com. There have been suggestions that it should be acceptable for the low-value transactions. But then, there is no definition of a low value transaction. And beauty value lies in the eyes of the beholder.

All that led to the discussion of OpenID whitelist. One might argue that it’s against the spirit of OpenID. Anyone should be allowed to run an OP without contacting all the RPs to be added to their whitelist. On the other hand, it gives a cozy feeling to the RPs to only have a handful of trusted OPs (which by the way there is no way to determine; but that’s a topic for some other day).

One of the ways the concept of whitelist can manifest itself is for OPs to provide an ‘OP Button’ for the RPs. Yahoo did exactly that couple of months ago. It’s good for the users since they don’t have to remember their OpenID URL and the user experience is much better. Most of the RPs (at least the current crop) won’t mind accepting users from Yahoo. I figured sooner or later, Google and Microsoft will join the OP list (along with AOL), have their own set of buttons that RPs will happily accept;practicality will take over; the OpenID identifier as we know today will go under the covers; the small OPs will cease to exist. We’ll all wait for a couple of years and then start over.

Except…ClickPass launched last week with it’s own button. There are still some discussions on the what and the why of ClickPass. But beyond that, it does paint the picture of what the future RPs might look like – a Nascar billboard (with buttons and branding from every OP)…or something like this building.

dish

This is where the discussions get into discovery, which is a really hard issue to address.

  • This is how social news sites address this:

social bookmarking

  • This is how RSS Readers address this:

RSS

  • This is how SAML address this : Okay…let’s not go there :-)

The common pattern – a Nascar billboard.

So… David and I spent some time talking about this. This is still a ‘thought in process’ but I wanted to write it down before I get heads down into the RSA preparations.

The requirements:

  • The user shouldn’t need to type the OpenID identifier.
  • There should be one OpenID button. Not two. Not three.
  • The RPs shouldn’t need to host the Nascar billboard (and hence add an icon every time a new OP comes on board).
  • The user should be in control of his identifier and who to share it with.

IMHO, this is how it should work from a user’s perspective:

  • I signup with any OP of my choice. Or setup my own OP.
  • I enter my identifier once. On a client side component. Either a browser extension/plugin or a desktop client.
  • I visit the RP and click on the single OP button. It invokes the client component and verifies if I want to share my idenifier.
  • On clicking okay, it redirects me to the OP and rest of the OpenID flow resumes.
  • If I don’t have the extension or haven’t picked an OP yet, it redirects me to a central (OIDF/Community hosted) Nascar page.
  • The central Nascar page should host the OPs logos/buttons. It should allow me to pick my OP and redirect me back to the RP.
  • Additionally, the central Nascar page should allow me to signup with a listed OP (redirect);add the selected OP to my client component; And allow me to enter my own OP(text field).
  • No registration should be required by the Nascar page.
  • What should be done to be listed on the Nascar page? – Well..that’s where some of the existing work that’s being done by SpreadOpenID, OpenIDDirectory and Nat comes into play.

Thoughts?

As I write this, I do notice the similarities with the CardSpace flow. Ergo…it will be interesting if MS (now member of OIDF) adopts OpenID in the client.

12 Responses to “OpenID Thoughts”

  1. Peter Nixey says:

    Hi Ashish,

    I’m one of the founders of Clickpass. I’m also very interested to read your analysis. It was basically the same analysis that we made during the design.

    1. We wanted users to be able to use any OP but only have to click on a single button
    2. We wanted people to be able to use that service on any machine (mobile inc.)

    The second requirement meant that we couldn’t do a client-side solution. The combination of the two meant that users had to have an account with us that they could access on any machine.

    We initially built Clickpass to be an RP as well as an OP but the chain of authentications was so confusing that even Simon Willison got tripped up while trying it.

    We therefore ended up building a combination of two services 1. An OpenID name-server (sends the right OpenID to the right site – you can use any OpenID with Clickpass) and 2. An OpenID provider.

    We’ve tried to keep things as simple as possible and as true to OpenID as possible. We’re always open to suggestions on how to improve though – getting this space right for everyone is challenging but we think worth it.

    -Peter

  2. [...] Wow! about 5 minutes after initially posting this, I ran across this blog entry by Ashish Jain.  Great stuff and cuts to the heart of my point.  Also very troubling as Ashish is [...]

  3. Great post and nice feedback from Peter. I think I get what ClickPass is doing, but even as an advocate for where OpenID is heading, as a security geek, my conerns remain high. I have enough problems with OpenID security without it also becoming a “single click”. I know ease-of-use is a cornerstone of what we are all aiming for, but given the current state of OpenID insecurity, do we really want this level of complete transparency? I for one, know I do not.

    As implemented toay I use OpenID to play around with different feature sets from the various OPs and then only at sites that if compromised, really wouldn’t impact me. Believe me, I want to use OpenID everywhere and for everything, but until implemented in a manner with real security, as a user, I’m staying on the sideline.

    Certainly, the “Nascar-ization” issue and some folks turning their credentials into OpenIDs, but not then accepting other OpenIDs are also a real kick in the shins of progress. I know that OpenID isn’t intended to be THE complete identity answer, but as I mentioned on my blog today before seeing this, we need something truly useful sooner than later. By truly useful, I mean something that hits on more of Kim Cameron’s 7 Laws than we’ve gotten today.

    On the sideline cheering, but contemplating where to get back in the game,
    - Hahleq

  4. Ashish Jain says:

    Peter,
    I get what you are doing and it’s definitely innovative. I just find it a bit hard to scale from an adoption perspective. Having a client side solution with a service in the cloud for syncing is probably another route to look at.
    - Ashish

  5. Ashish Jain says:

    Hahleq,
    Security and Convenience don’t go very well together. I would imagine that soon OpenID will come to a resting state where it finds the most adoption and then focus on that need.
    - Ashish

  6. Ryan Janssen says:

    Ashish, I just finished a 3 part blog post at http://drstarcat.com that ended with a discussion of the UI (http://drstarcat.com/archives/30). Very good questions you raise.

  7. Ashish Jain says:

    Ryan,
    The issues that you have raised in your referenced blog post are more around CardSpace. I agree with your perspective (listed my own at http://itickr.com/?p=82).
    However, I believe that the issues with CardSpace are mainly implementation specific. However, the issues around OpenID are more foundational.
    Thanks,
    - Ashish

  8. [...] have been quite a bit of talk about the current state of OpenID login screens that are becoming cluttered with [...]

  9. peter says:

    could not leave openid authenticated comment. On SignOn.com, could not get UI to recognize my cardspace card (on vista buseinss SP1).

  10. [...] Wow! about 5 minutes after initially posting this, I ran across this blog entry by Ashish Jain.  Great stuff and cuts to the heart of my point.  Also very troubling as Ashish is [...]

  11. [...] raised the issue of Nascarization more than an year ago . There should be one OpenID button. Not two. Not three. Else it’s not scalable for the [...]

  12. [...] an OpenID NASCAR (NASCAR) like this (courtesy of JanRain’s very cool [...]

Leave a Reply

Image | WordPress Themes