The case for OpenID

[Ed. We have recently seen a rise in interest in several new identity technologies.

[Ed. We have recently seen a rise in interest in several new identity technologies. These technologies arise from a different set of missions than traditional enterprise focused, domain-centric identity management systems. This article, written by Netmesh's Johannes Ernst and VeriSign's David Recordon explores the "why" of one of these technologies - OpenID.]

Many digital identity technologies exist already; why does the world need OpenID?
Its ever-growing ranks of supporters prefer OpenID because it is fundamentally different from other identity technologies in at least two ways:

  • OpenID is a fully decentralized system.
  • OpenID has a much lighter cost structure than any alternative.

While other OpenID characteristics – like its use of addresses (URLs and i-names), its affinity to blogging and the pervasive availability of Open Source code supporting it – may be more apparent in the market today, it is OpenID's decentralized nature and cost advantage that provide its unique benefits. These benefits cannot be matched simply be retrofitting URLs on top of other identity systems, or by releasing more Open Source code for them.

Of course, as OpenID grows to cover additional use cases from its admittedly minimalistic beginnings, its cost of ownership will necessarily grow, and some companies will choose to deploy it in a more centralized fashion. However, as technology history has amply shown, just like it is always possible to re-centralize a decentralized system and never the reverse, it is always possible to add cost to a system, but exceedingly hard to remove it from a system that was not built in an extremely light-weight way from the very beginning. That puts OpenID into a unique position among identity technologies.

How is OpenID fully decentralized? It is, on many more levels of the stack than others:

  • Users can host their own identity on any server they choose, without having to ask anybody for permission or approval; they can also choose to have it hosted by one of the increasingly many OpenID hosting services.
  • Service providers can choose from a variety of software implementations from a variety of vendors and Open Source projects.
  • As Brad Fitzpatrick (Chief Architect of Six Apart, Ltd.) put it, "OpenID does not crumble if any one company turns evil of goes out of business."
  • The OpenID specifications are developed in an unencumbered, meritocratic process, that is open to participation by anyone who shows up.
  • Anybody can use their own technical innovations within the OpenID framework, even if they replicate, or compete, with the OpenID specifications themselves.

This latter points is worth repeating: if tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation.

How is OpenID's cost structure fundamentally lower? Consider the parallel with the cost structure of the web compared to the cost structure of predecessor client-server technologies. One can say that earlier client-server technologies could do everything that the web could do; in fact, they could do many things much better. They lost out against the web because the total cost of creating and operating a website was dramatically lower than the cost of building and operating a client-server application; and even more importantly, the cost of getting access to and using a web application was much lower than for a client-server application.

The fact that the first versions of HTML were a "toy" (compared to fully-featured alternatives such as SGML) was of no consequence; missing features got added over time, just like OpenID will keep adding features and grow to the same level, or higher, of other identity systems, just from much lower base cost. This is also why, unlike other identity technologies, OpenID is rapidly being adopted on the open Internet: Internet-scale adoption requires the twin properties of Internet-scale decentralization and Internet-scale cost structures, which other identity technologies do not have.

As OpenID marches on, we expect many of its benefits to accrue to:

  • Internet users, who are gaining the ability to control their identity information on-line, through the services of a vendor that they trust (or, if they are technically inclined, by building their own); further:
    • users are more secure, e.g. the phishing attack surface is reduced;
    • their on-line experience is more convenient, e.g. fewer user names and passwords to remember;
    • their on-line experience is more personal, e.g. because sites can more easily take advantage of identity information shared by the user with the site.
  • E-commerce and other website operators, who have the opportunity to serve their customers and visitors better, because:
    • they can simplify user registration, currently a major obstacle for customer acquisition;
    • it allows them – with full approval of the user – to learn more about their visitors, and thus target their offerings better;
    • they can reduce the attack surface for identity theft, because identity information that can be retrieved on demand through OpenID does not need to be stored by the site, and thus cannot be lost or stolen (e.g. backup tapes from a car)
  • Entrepreneurs and intrapreneurs, for whom OpenID provides a fertile ground for innovation, such as:
    • reputation services, which help both end users and site operators and represent a major business opportunity in itself;
    • open social networks that are not confined to a single vendor's site;
    • more secure, efficient and accountable messaging systems that one day could replace the protocols that e-mail runs on.

    Some have told us they consider the OpenID community to lack a clear process or structure, to not solve the "real" problems in identity (yet?), or to be only applicable for low-end problems. They are probably right; however, we think of it as the early days of Internet-scale innovation in action, where these characteristics are desirable, not detrimental. The arguments are the same that were made against the Web in its early days, and the problems either were fixed or turned out not to be problems at all. There is no reason to believe it should be different for OpenID.

    Full decentralization and a very light-weight cost structure directly attract and catalyze innovation unlike any other approach. In the end, that is why you should pay attention to OpenID.