Home > Tech > The Unbearable Weirdness of OpenID

The Unbearable Weirdness of OpenID

September 4th, 2009

Right now, you probably have a whole bunch of identities floating around the Internet. If you’re like me, you can’t remember every username/password combination, and have resorted to a less than perfect method of keeping track of them all. Thankfully, various websites have started using your email as your login name, which is one less piece of extraneous information to remember.

There’s some obvious benefits to this approach. Emails are unique to a person – or at least, unique to collection of interested people – and their use as a login ID makes it easy to send out new passwords. As a result, I’m sure more than a few people now have an entire IMAP folder full of emailed passwords.

There’s still the underlying problem that users now have lots of passwords, or have to settle for a bunch of websites having the same password, with the obvious security risk.

The plausible solution that’s frantically trying to get headway is OpenID. Currently, it does seem to solve a whole bunch of problems. Especially when all you want to do is leave one solitary comment on a blog that you’ve come across and are unlikely to ever read again. What it’s lacking, is traction.

The problem is one of usability. Users have had a good decade or more of seeing user@domain as a way of identifying or contacting a person, and http://example.com/file as a document or location which you can browse to. OpenID abuses the URI concept not only as a document about yourself, but also as a username, and a hook into the RPC mechanism.

This observation isn’t new. There’s already been large amounts of debate over the use of a URI as an identifier. A proposal was put forward a couple of years ago to solve this by abusing the plaintext authentication built into the HTTP protocol. The main problem is that it requires making certain assumptions about the domains DNS infrastructure, and overriding the authentication mechanism – which is a Bad Thing[tm].

However, the author of that proposal is on to something, and there’s a better solution. There’s a DNS record type called SRV. This record allows you to retrieve servers associated with a domain, much like MX records do for mail. By utilizing this it would be possible to specify the exact server used for OpenID authentication for a given domain.

This approach would also make spreading the load balancing and automatic fail over much easier due to the weighting system built into the SRV records return mechanism. In addition, it would also make it much simpler to virtually host OpenID domains on another hosts servers.


Categories: Tech Tags: , ,
  1. September 14th, 2009 at 18:56 | #1

    One of the nice pieces of how OpenID discovery currently works is that by just two lines of HTML, someone can turn any web page into an OpenID. Sam Ruby wrote a tutorial about this a few years ago (http://intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers) and this is a use case that we don’t want to lose. By switching only to SRV records, we’d lose the ability for people who only know how to edit HTML to create an OpenID.

    There is ongoing work when it comes to discovering meta-data; check out some of the recent posts on http://hueniverse.com/.

Comments are closed.