OpenID Updates Identity Spec
OpenID system is top contender in online ID-management frameworks.
The OpenID Foundation is set to release the final specification for version 2.0 of its free framework for user-centric digital identity. OpenID is a lightweight, decentralized system designed to take advantage of existing Internet protocols and specs -- such as URI, HTTP, SSL and Diffie-Hellman -- to build identity across domains.
Developed originally by Brad Fitzpatrick, creator of the LiveJournal virtual community, OpenID has emerged as a leading contender for the ID framework crown. Industry analysts at Gartner Inc. have included it in a short list of technologies it calls "personal identity frameworks" (PIFs). That category also includes Microsoft's CardSpace and the Eclipse Foundation's Higgins Trust Framework -- all systems for authentication, reduced sign-on, and registration, explains Gartner research director Gregg Kreizman.
"Right now, OpenID is essentially a framework for passing ID attributes to abstract your identity, and multiple forms or personas of your identity, for use in different contexts," Kreizman says.
OpenID has some momentum, Kreizman says, but security issues are slowing adoption. "Today, it's phishable," he says. "You don't see it in financial institutions, health care or government to any significant degree."
But Microsoft chairman Bill Gates gave OpenID some juice when he announced in February that Microsoft would be working with the project leaders -- JanRain Inc., Sxip Identity Corp. and VeriSign Inc. -- to integrate it with CardSpace.
"Microsoft is interested in OpenID for a number of reasons," says Neil Macehiter, principle analyst at UK-based Macehiter Ward-Dutton. "In a nutshell, the collaboration focuses on harnessing the benefits of both technologies, allowing individuals to control their own identity through the use of OpenID, while exploiting the anti-phishing benefits of the CardSpace identity selector technology."
Picking up Speed
Windows CardSpace is an implementation of Microsoft's vision of an "identity metasystem" -- essentially, a configuration of systems designed to simplify the unavoidable challenge of managing multiple digital IDs. CardSpace (formerly "InfoCard") is authentication technology that employs cryptography and a tight integration with Windows to deliver "verifiable claims" that identify a user. CardSpace is part of the .NET Framework, so it's embedded in Vista. XP users can add it via a service pack.
"With Microsoft onboard, you're going to see adoption picking up speed," predicts Larry Drebes, founder and VP of engineering at Portland, Ore.-based JanRain. Drebes' company has been something of a driving force behind the OpenID spec. To date, JanRain has developed the libraries and tools deployed by 90 percent of the OpenID ecosystem.
"When we started this company three years ago, it was us and Brad [Fitzpatrick] working on OpenID," Drebes says. "Today there are 150 million enabled OpenID users, and more than 8,000 Web sites accepting OpenID. And the number of Web sites accepting OpenID is growing 5 percent week to week. So, we're getting there." Drebes' numbers are based on the Web logs of the JanRain provider site.
Drebes points out that Apple Inc. is shipping OpenID with its new Leopard operating system, and AOL LLC, Sun Microsystems Inc. and French telco Orange are supporting it. Rumors have been circulating that one or more of the leading search engine providers are poised to become OpenID providers. Drebes wouldn't confirm or deny those rumors.
"For consuming new and low-risk services, there's some momentum there," says Kreizman. "But for the next year or so, you're going to see OpenID offered as an alternative to existing registration systems. And CardSpace will creep into the enterprise because it's a client component of Vista, and Microsoft-centric shops will want to offer that as a mechanism to authenticate. But try to find a bank, a health-care provider or an insurance company accepting it on their site. It's still early days."