OpenID: Beware Greeks Bearing Gifts

When I first heard of OpenID I thought it was a wonderful idea.  As I read more about OpenID that fervor was exhausted and I became a bit worried.

Let me defer to Wikipedia for a quick explaination of OpenID:

"OpenID is an open, decentralized standard for authenticating users which can be used for access control, allowing users to log on to different services with the same digital identity where these services trust the authentication body. OpenID replaces the common login process that uses a login-name and a password, by allowing a user to log in once and gain access to the resources of multiple software systems." [http://en.wikipedia.org/wiki/OpenID]

OpenID is great for small time sites (like this one) which dont provide encrypted communication, yet still wish to protect their users. If someone signs in with their OpenID then their password is transmitted over SSL via the OpenID provider website. But, I left a hyperlink in the excerpt for a reason. A digital identity is scary. Bridging two services (websites) together under one OpenID could mean all activity on both sites becomes one. And although this may sound exciting when you realize all your facebook friends will automatically know when you blog, it becomes dangerous when considering the inescapable presence you create.

Read Dr. Nic's outlook on the future: http://drnicwilliams.com/2007/07/20/one-app-one-user-account-and-multiple-openids/

If you imagine the internet as one great jumble of services waiting to collaborate with each other then OpenID is for you. If you imagine the internet as the perfect democracy where anyone can post their opinion without being subjected to stereotypes then OpenID should be kept on a short leash.

A possible work-around: When an OpenID is created, the provider gives the user an infinite number of hashes. Those hashes, which can be generated on-the-fly, are then used to associate a service to OpenID. Thus, there can be no correlation between services without having information from the provider of the OpenID. Combine this with OpenID's decentralized standard (which allows you to be your own provider) and the problem is almost solved. However you have just created a trail of activity which, although not available to the public, is still available.

Or you could manage multiple OpenIDs. (recommended)

In closing, OpenID can be great for those wanted to build a professional identity by creating a professional face (read persona) through an OpenID. It can also be great for small websites not wanted to manage a login process. However, I am still worried for those not savvy enough to realize what type of tojan horse an OpenID could become.