Wow, a year almost slipped by there. School and summer keeping me busy/lazy. I was reading about OpenID today and got excited. Email based verification has lots of problems and OpenID solves them well opening lots of exciting new possibilities.

Most web sites today use email addresses to verify identity, one identity per email address. To create an identity a user submits an email address; the site generates a special URL and emails it to the submitted address; the user retrieves the email, clicks through the URL and the site enables the identity to login with a username and password. This model made sense back in the days when spam was canned meat and email addresses were assigned by universities and employers. Today it’s got problems.

These days I don’t want to give my ‘main’ email address to just anyone. Who knows were it’ll end up and what torrents of junk I will receive as a result. As a result, I, like many people, use an assortment of techniques to avoid this possibility. Disposable e-mail accounts, spare accounts, web mail, temporary e-mail forwards, bugmenot, etc, etc. This results in security and social repercussions that are found almost universally.

The security problem is simply that of too many passwords. I’ve got all these separate low priority identities to maintain, so I tend to use the same passwords a lot. Password recovery is to be avoided because I probably used who-know-what email address (to which I may no longer have access) when originally verifying. If one evil site owner ran a spider trying their sites username/password combinations on lots of other sites you know they’d get an awful lot of successful hits. With OpenID fixes this. With OpenID you only have one password (or possibly none) and site owners never get to know it. More on this in second.

Socially the result of email based identity is that ones history becomes the only source of trust. Since email addresses are in no shortage it’s a given that anyone can create a new identity anytime. Users are only motivated to behave because otherwise they’ll have to burn their trust creating a new identity. Slashdot and many forums work like this. Behaving over the long term increases your credibility, so you behave. Some sites (Metafilter) amplify the effect further by limiting the number of accounts available. Behave, no new people allowed.

One positive side of the email based model is it makes it easy to maintain lots of separate identities. I can be cranky on Slashdot but sweet on Metafilter. But OpenID makes maintaining multiple identities even easier, makes the effects of user history stronger and solves the security problem too.

I’m not going to describe OpenID step-by-step, the Wikipedia does a better job then I could; I want to discuss some of the ramifications.

With the email based model, your identity resides on each website itself. With OpenID your identity resides on another server (called an identity provider) of your choice. The security problem is solved because any passwords involved are stored only by the identity provider. Mister evil site owner never gets his hands on anything useful, password or email address. I can sign up anywhere without fear.

To use OpenID one must choose a provider to host an identity. The provider might require an email address, password, etc, but it doesn’t have to require anything at all. If a provider wants they can generate identities automatically, anonymously, ready for disposal. As long as the identity provider I use always answers thumbs-up, I can create separate identities as easily as dreaming up new names for them. Since running an identity provider is open source easy, I’m sure people will be setting up servers to do exactly this kind of thing directly.

There are advantages however to using a single identity on many sites. Snooty sites can restrict themselves to users who have proved themselves elsewhere. Users are even more likely to behave because they have even more invested in a single identity.

Only problem I can see is in the choice of identity providers for non-disposable identities. OpenID is clever, it isn’t broken by bankrupt or rouge providers, but it would still be a pain in the butt if my main identity disappeared. I could probably trust some non-profit ICANN-ish agency however. Running a provider isn’t that much different then running the DNS system and that has been surprisingly stable forever.

No more giving out spam targets and insecure passwords is awesome but even better OpenID offers an unprecedented way to tie the blog sphere together like a single forum. It offers bigger better social networking well at the same time making anonymous trolling easier then ever. Peer to peer trust network nirvana awaits.