News

Key Rivals Sign in to OpenID

OpenID gets big-name support from Microsoft, Google, IBM and others.

• By Jeffrey Schwartz
• 03/15/2008

Recent moves by Google Inc., Microsoft, IBM Corp., VeriSign Inc. and Yahoo! Inc. to join the OpenID Foundation's board suggest cooperation by key rivals to further the standard for one-click access to Web sites. It remains to be seen, however, whether enterprises adopt the OpenID standard for federated identity management.

OpenID allows individuals to create one username, password and other credentials for logging on to multiple Web sites that support the spec.

"It's a really easy way for users to be able to secure their identities," says Scott Kveton, VP of open platforms at Tulsa, Okla.-based Vidoop LLC, a supplier of multi-factor security software.

Kveton, who is chairman of the OpenID community board, believes corporate developers can also incorporate the spec into their apps. "When you think of OpenID, it's a very open, public-facing kind of technology, but you can also run an OpenID provider for use inside of your firewall," he says.

OpenID implementations are available in multiple programming languages and environments, including Java, .NET, Python and PHP, he adds.

Waiting for .NET 3.0
Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie first announced support for the spec exactly a year ago at the 2007 RSA security conference. At that event, Microsoft, JanRain Inc., Sxip Identity Corp. and VeriSign publicly stated plans to work together to provide interoperability between OpenID and Windows CardSpace.

The problem is that such an implementation will presume developers are working with the .NET 3.0 Framework, which for now is only a small percentage of the overall Windows developer community, says Jeff McManus, principal of San Francisco consulting firm Platform Associates LLC.

"It seems like a pity it would require someone to have to wait a year or two until an organization adopts a later version of the .NET stack to be able to adopt OpenID," McManus says. However, he points out that there are some third-party tools that allow developers to use older versions of the .NET stack. One was updated last month by ExtremeSwank.

CardSpace Collaboration
Kim Cameron, Microsoft's chief identity officer, points out that Microsoft had announced support for OpenID through CardSpace, which isn't available through earlier versions of .NET. In an e-mail, he says Microsoft has worked closely with supporters of OpenID to create the OpenID Provider Authentication Policy Extension (PAPE).

"That enables OpenID -- relying parties to request that phishing -- resistant authentication be used by the OpenID provider," Cameron says.

OpenID provider services like MyOpenID.com from JanRain, SignOn.com from Ping Identity Corp., PIP from VeriSign and LinkSafe.name from LinkSafe LLC have implemented PAPE, which lets their users sign in to their OpenIDs with Windows CardSpace rather than passwords, Cameron adds.

"Thus, people can now log in to their OpenID providers with Information Cards, which are not phishable, instead of passwords, which are," he says.