OpenID's growing pains

* OpenID shows much promise, despite growing pains

I’ve watched over the couple of years as the OpenID community has grown – burgeoned, you might say. What started out as a way to keep comment spam and robots out of blogs and wikis now sports connections to Sun’s open source SAML implementation, OpenSSO as well as with Microsoft’s CardSpace. From its beginnings as a “mere” authentication protocol, there’s also movement to make OpenID a full-fledged attribute exchange system. Unfortunately, with all of this growth there are still growing pains.

It’s been suggested that OpenID is susceptible to phishing attacks (also, see my blog entry of two years ago). Even more distressing, some think it’s also susceptible to man-in-the-middle attacks. These are troubling issues and they won’t go away until OpenID becomes more robust. But, to me, there are even bigger problems looming on the horizon.

Because OpenID arose from the blogging community (it was created by Brad Fitzpatrick, the founder of LiveJournal) it has created lots of interest in the social networking community. When Danah Boyd released a report last month about the issue of so-called “throwaway identities” (see my take) it launched a long, involved and passionate discussion among the OpenID advocates of the social networking community. What they were urging is that OpenID’s Attribute Exchange protocol be used to allow social networking users to port their “identity” data (including their blog posts, pictures, etc.) from one site to another. What they’d like to see is an OpenID version of the “ID Hub” proposed by Marc Cantor.

In a nutshell, these people want to enable someone to move all of their contact information from, say, Plaxo to, say, Orkut. Or LinkedIn to Friendster. And if I’m one of their contacts, then I’ll be spammed by the new service to join in. Or my contact information might be sold or rented out. Even if the new service has a policy which doesn’t allow this activity, in the constantly merging and acquisitioning world of the Web, who is to say what the policy might be tomorrow?

My contact information is part of my identity. You may know me, and that relationship is a part of both your identity and mine. But the contact information is definitely something which should be totally under my control, not yours. For example, I maintain multiple e-mail addresses some of which are only given to my immediate family or very close friends. They are not meant to be shared beyond those I give them to. I want to keep it that way.

In addition, the data to be ported could easily include other identifying information about me – birthday, address, affiliations, etc. Kim Cameron’s first law of identity states: “Technical identity systems must only reveal information identifying a user with the user’s consent.” To the best of my knowledge, no one has ever disagreed with this. Now it may not be currently possible to prevent someone from distributing my identity data (but Identity Rights Management does show promise) but those of us in the identity community who understand what the problem is shouldn’t be stepping up to aid and abet this law-defying activity. OpenID shows much promise; it shouldn’t founder on this ill-conceived idea.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.