Archive for September, 2009

The Unbearable Weirdness of OpenID

September 4th, 2009 1 comment

Right now, you probably have a whole bunch of identities floating around the Internet. If you’re like me, you can’t remember every username/password combination, and have resorted to a less than perfect method of keeping track of them all. Thankfully, various websites have started using your email as your login name, which is one less piece of extraneous information to remember.

There’s some obvious benefits to this approach. Emails are unique to a person – or at least, unique to collection of interested people – and their use as a login ID makes it easy to send out new passwords. As a result, I’m sure more than a few people now have an entire IMAP folder full of emailed passwords.

There’s still the underlying problem that users now have lots of passwords, or have to settle for a bunch of websites having the same password, with the obvious security risk.

The plausible solution that’s frantically trying to get headway is OpenID. Currently, it does seem to solve a whole bunch of problems. Especially when all you want to do is leave one solitary comment on a blog that you’ve come across and are unlikely to ever read again. What it’s lacking, is traction.

The problem is one of usability. Users have had a good decade or more of seeing user@domain as a way of identifying or contacting a person, and as a document or location which you can browse to. OpenID abuses the URI concept not only as a document about yourself, but also as a username, and a hook into the RPC mechanism.

This observation isn’t new. There’s already been large amounts of debate over the use of a URI as an identifier. A proposal was put forward a couple of years ago to solve this by abusing the plaintext authentication built into the HTTP protocol. The main problem is that it requires making certain assumptions about the domains DNS infrastructure, and overriding the authentication mechanism – which is a Bad Thing[tm].

However, the author of that proposal is on to something, and there’s a better solution. There’s a DNS record type called SRV. This record allows you to retrieve servers associated with a domain, much like MX records do for mail. By utilizing this it would be possible to specify the exact server used for OpenID authentication for a given domain.

This approach would also make spreading the load balancing and automatic fail over much easier due to the weighting system built into the SRV records return mechanism. In addition, it would also make it much simpler to virtually host OpenID domains on another hosts servers.


Categories: Tech Tags: , ,