Sunday, February 25, 2007


OpenID is a new way of authenticating yourself on the net. "[It's] an open, decentralized, free framework for user-centric digital identity." ( It's very simple and seems to me to be very versatile although the descriptions of it leave a little to be desired. I've had a close look at it and I like it, so here's my interpretation of OpenID.

One Username for all

The idea is that you create a unique id that you register somewhere with a password. Then you use your unique id and password at all the sites you visit. One id, one password, very simple. Sounds very much like the derided Microsoft Passport, right? Well, the basics are there but OpenID is so very much more versatile and not in the control of one single corporation.

One way of creating a unique id is to use a URL that you can prove you are the owner of. You register a name and password at any OpenID server, you can have your own on your own server if you want. You get back a URL that you can use to sign in to OpenID enabled sites. Mine is When I give that name to a site, it contacts the OpenID server at the URL given and the OpenID server asks me for my password.

Ok, so far, neat but not earth shattering, it's still very much like MS Passport.


The OpenID server tells me which site wants me to login (well, that's obvious) and also about the fields of information that the site is asking for. It allows me to create a new persona showing optional and required fields that the site is asking for or to use an existing persona. I can then opt to allow the login and give the credentials once, or always.

One Password Site

From a security point of view, my password goes to the server site, not the site I am logging in to. One nice thing about this is that the server does not always require my password because once I have signed into the OpenID server site, the server knows who I am, it just asks which persona I want to use. also keeps track of sites that have asked for my credentials but there are anonymous servers around too, one where you can just make up an OpenID URL and start using it.

Ok, pretty neat now, but what if I want to change my OpenID server or it goes belly up, do I have to re-register with all the sites I want to use? Well, no, because I don't have to use the server's URL for my identity I can use one that I will always have e.g. one from my own domain and redirect that page to the OpenID server of my choosing.

I have set up a page on my site to use as my OpenID URL, it is at This page contains:
<html xmlns="">

<link rel="openid.server"
<link rel="openid.delegate"

What it does is redirect the request from the site you want to log into, to the real OpenID server. This allows mt to have a permanent OpenID URL entirely under my control and I can change the server whenever I like. The sites I log in to will know me by my URL.

Neato or what?


There are only a handful of sites using OpenID so far but Digg are planning to use it, Microsoft and AOL are involved, this could be big.

There are already many software libraries to make it easy to use OpenID for your sites.

Public OpenID servers offer different service extras, you can shop around.


Dean Collins said...

I dont get it, I've read sevaral sites about how the process works (hmm lots of gee wizz while short on details).

But basically the flaw I see is once a 'bad site' is set up and you sign in using open id this persona can now rip off your details and log in at all other open id sites using your details.

Am I missing something?

If so I'd really like to know about it.


John Redmond said...

No way I'm going to trust my ID to a system that I don't really understand (I understand the concepts, I don't understand the schemes proposed for how they are going to foil man-in-the-middle phishing).

My solution is to have one simple U/N and P/W combination for most logins and various other safe/secure logins for the bank and credit cards. I store it all on a USB thumb drive.


Special K said...

You're not trusting your security to an unknown system nor can a "bad site" rip off your details. I had better do a clearer explanation in the blog entry.

Meanwhile I'll answer both points here:

Bad Site
The sites you log into do not get details that they can rip off. They only get your unique ID (your OpenID) and any further details that you want to give them (as in the picture in the blog entry). The site does not get your password since you enter that directly to your chosen OpenID server. All you are doing is identifying yourself to that site. The bad site can do nothing with any other site using your details. If they quote your OpenID to another site then your OpenID server will ask them for a password, which they don't know.

Now, of course, the OpenID site might be bad and then, yes they could use your credentials to gain access to sites that you login to. The way around that is to run your own OpenID server. I think that that is where the weakness lies.

Man in the middle fishing
I am not too sure how this would work because you give the OpenID URL to the site where you want to log in. That site contacts the OpenID server directly which talks to you through your browser. Hmmm, I'd better see how the redirection is done to see if the login site can do some phishing. More later...