News

OpenID Updates Identity Spec

OpenID system is top contender in online ID-management frameworks.

The OpenID Foundation is set to release the final specification for version 2.0 of its free framework for user-centric digital identity. OpenID is a lightweight, decentralized system designed to take advantage of existing Internet protocols and specs -- such as URI, HTTP, SSL and Diffie-Hellman -- to build identity across domains.

Developed originally by Brad Fitzpatrick, creator of the LiveJournal virtual community, OpenID has emerged as a leading contender for the ID framework crown. Industry analysts at Gartner Inc. have included it in a short list of technologies it calls "personal identity frameworks" (PIFs). That category also includes Microsoft's CardSpace and the Eclipse Foundation's Higgins Trust Framework -- all systems for authentication, reduced sign-on, and registration, explains Gartner research director Gregg Kreizman.

"Right now, OpenID is essentially a framework for passing ID attributes to abstract your identity, and multiple forms or personas of your identity, for use in different contexts," Kreizman says.

OpenID has some momentum, Kreizman says, but security issues are slowing adoption. "Today, it's phishable," he says. "You don't see it in financial institutions, health care or government to any significant degree."

But Microsoft chairman Bill Gates gave OpenID some juice when he announced in February that Microsoft would be working with the project leaders -- JanRain Inc., Sxip Identity Corp. and VeriSign Inc. -- to integrate it with CardSpace.

"Microsoft is interested in OpenID for a number of reasons," says Neil Macehiter, principle analyst at UK-based Macehiter Ward-Dutton. "In a nutshell, the collaboration focuses on harnessing the benefits of both technologies, allowing individuals to control their own identity through the use of OpenID, while exploiting the anti-phishing benefits of the CardSpace identity selector technology."

Picking up Speed
Windows CardSpace is an implementation of Microsoft's vision of an "identity metasystem" -- essentially, a configuration of systems designed to simplify the unavoidable challenge of managing multiple digital IDs. CardSpace (formerly "InfoCard") is authentication technology that employs cryptography and a tight integration with Windows to deliver "verifiable claims" that identify a user. CardSpace is part of the .NET Framework, so it's embedded in Vista. XP users can add it via a service pack.

"With Microsoft onboard, you're going to see adoption picking up speed," predicts Larry Drebes, founder and VP of engineering at Portland, Ore.-based JanRain. Drebes' company has been something of a driving force behind the OpenID spec. To date, JanRain has developed the libraries and tools deployed by 90 percent of the OpenID ecosystem.

"When we started this company three years ago, it was us and Brad [Fitzpatrick] working on OpenID," Drebes says. "Today there are 150 million enabled OpenID users, and more than 8,000 Web sites accepting OpenID. And the number of Web sites accepting OpenID is growing 5 percent week to week. So, we're getting there." Drebes' numbers are based on the Web logs of the JanRain provider site.

Drebes points out that Apple Inc. is shipping OpenID with its new Leopard operating system, and AOL LLC, Sun Microsystems Inc. and French telco Orange are supporting it. Rumors have been circulating that one or more of the leading search engine providers are poised to become OpenID providers. Drebes wouldn't confirm or deny those rumors.

"For consuming new and low-risk services, there's some momentum there," says Kreizman. "But for the next year or so, you're going to see OpenID offered as an alternative to existing registration systems. And CardSpace will creep into the enterprise because it's a client component of Vista, and Microsoft-centric shops will want to offer that as a mechanism to authenticate. But try to find a bank, a health-care provider or an insurance company accepting it on their site. It's still early days."

About the Author

John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube