The following is actually two articles, but both provide excellent points on the good and bad of both OpenId and LiveId (Microsoft) technologies.
IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer Annotated
tags: identity
Classic PKI (digital certificates) are a good example of third-party identities that you can inspect and choose to trust or not. But client-side digital certificates have deployment shortcomings. Very few people use them.
A promising alternative to client-side certificates is the new breed of digital identity architectures, many of which do not require a huge, monolithic corporate infrastructure to issue. I’m thinking mostly of OpenID and Microsoft’s CardSpace specs.
When you want to express a claim about your identity, you pick a card (any card!) and present it to the person who’s asking.
What’s nice about InfoCards is that, in theory, these are things you can create for yourself at a registrar (identity provider) of your choice. InfoCards also have good privacy controls รข€” if you don’t want a relying party (e.g., securitymetrics.org) to see your e-mail identity attribute, you don’t have to release that information.
So, InfoCards have promise. But they use the WS-* XML standards for communication (think: big, hairy, complicated), and they require a client-side supplicant that allows users to navigate their InfoCards and present them when asked.
OpenID holds more promise for me. There are loads more implementations available (and several choices for Java libraries), and the mechanism that identity providers use to communicate with relying parties is simple and comprehensible by humans. It doesn’t require special software because it relies on HTTP redirects to work. And best of all, the thing the identity is based on is something “my kind of people” all have: a website URL. Identity, essentially, boils down to an assertion of ownership over a URL. I like this because it’s something I can verify easily. And by visiting your website, I can usually tell whether the person who owns that URL is my kind of people.
It’s way easier for the evil site to scoop the skin of a user’s OpenID service because - are you ready? - the user helps out by entering her honeypot’s URL!
I’d like to see OpenID and InfoCard technologies come together more. I’ll be presenting a plan for that over the next little while.
