OpenID: Web 2.1

Péter Gyöngyösi - software developer

It did not make it into the headlines anywhere but on hardcore tech portals, even though it's a huge step: Microsoft, IBM, Google and Yahoo teamed up to support the OpenID initiative.

So what is OpenID? It's basically just a simple single-sign-on system that lets you log in centrally to separate websites -- just like the accounts at Google or the Microsoft Passport. Of course it takes some serious technical tricks to make it scale to serve millions of sites, but that's not what makes it interesting: it's what it enables us to do.

The most entertaining way to learn more about the philosophy behind this concept is the great OSCON 2005 keynote of Dick Hardt. The main point of the whole Identity 2.0 idea comes straight from the Web 2.0 "revolution". As content on the web starts to come more and more from the contribution of users, so grows the need to know who is exactly the guy that wrote this or rated that. Sites have already solved the issue on their own: we have the feedback system on eBay, we have karma on Slashdot and we have Facebook. The core of the Identity 2.0 utopia is to connect these pieces of information about a user's history and reputation, and OpenID is the first building block of it.

To realize its importance from the security point of view, we have to notice one fundamental fact: allowing a user to modify our content does not mean that we fully trust that user. A malicious user can cause harm in a technically perfect system: the vandals at Wikipedia or the agents busy rating down the competition at Amazon have probably never heard of fancy things like XSS or SQL injection and yet they still manage to cause serious headaches to those operating these sites.

An account to a single web-based service is not worth much: if you're not a diehard member of the community (which means only a handful of users) it does not tell much about you and it's just a minor inconvenience to get banned. Connecting the identities, however, creates a totally different situation: you can expect more and you are able to force a more responsible behavior on users. You can trust respected members of other communities, you can prove that someone's a great guy to others and you can be cautious with someone that no one has ever heard of.

It's somewhat similar to the situation when a bank asks for the utility bills of the last few months when deciding about granting you a loan. They're not interested in your water consumption: they're interested in whether you're an accepted and respected member of the economy or not, and they are asking the other members of the market about that. If OpenID gains wide acceptance, we'll all have the choice to either remain conveniently anonymous, accepting the distrust that a stranger always has to face, or to show our online identity and prove that our opinion matters and that our actions pose no danger. And that will be the greatest change in the history of web services.