Is OpenID a panacea, a placebo, or something in between? Opposing viewpoints took turns on center stage Wednesday afternoon at OSCON 2008. The session entitled "A Critical View of OpenID" started off as anything but critical, but once the audience got its turn to raise questions, things got more interesting.
Moderated by author Jason Levitt, the session featured four speakers explaining the theory, security model, implementation, and importance of the OpenID single sign-on system. Simon Willison gave an overview of the system, Scott Kveton of Vidoop examined its security, Chris Messina of the DiSo project described its potential impact on social networking, and Yahoo!'s Membership Team architect Allen Tom related his company's experience deploying it.
The presentations -- which constituted the first half of the session -- were primarily informative and favorable, but they did contain candid mention of OpenID's problems. Kveton began his portion of the talk with a ready admission that OpenID's usability is low; a sentiment echoed by the others. Among other things, he noted that users rarely pay attention to the URL bar in a Web browser, an oversight that could be exploited by phishing attacks during the multi-stage OpenID authentication process.
Tom discussed the results of a usability study conducted by Yahoo!, which found confusion among users about how OpenID is intended to work. They didn't understand the relationship between OpenID providers and OpenID consumers, they expected that signing out of one was equivalent to signing out of both (it is not), and they were confused by the dual-mode login pages (sporting both OpenID and username/password fields) common to many of today's OpenID-consuming sites.
Send in the audience
But for the most part, the presenters' words were positive enough that when it was time to take questions, several members of the audience prodded the panel for the critical view implied by the title.
Several in the audience had questions for Tom about Yahoo!'s support for OpenID -- starting with why Yahoo! provides a mechanism for Yahoo! IDs to serve as OpenID credentials for other sites, but does not accept OpenIDs from other sites. The company likes the OpenID protocol, Tom replied, but does not regard many of today's OpenID providers as trustworthy enough to grant access to Yahoo!'s paid services. That, said another audience member, undermines the entire point of OpenID -- users can choose any OpenID provider they like, including a bad one, just like they can choose any password they like -- including a bad one.
In response, Willison suggested that the value proposition for accepting OpenIDs is higher for new, small sites than existing players like Yahoo!, because it simplifies the registration process. Messina added that OpenID is not intended to provide authentication or trust, just a durable online identity. Kveton said that future versions of OpenID will include mechanisms for provider-to-consumer security verification.
The panel specifically solicited comments from site owners who had chosen not to implement OpenID -- including Leah Culver of Pownce, who evoked laughs and a brief round of applause when she recalled that OpenID was originally designed to solve the problem of registering to leave blog comments. For that task, she suggested, it might not be worth the hassle. "Is it really so fucking onerous to remember your password?"
The charge that OpenID is overly complicated is one that the panel is familiar with and takes no real offense to, and it motivates continued work on the protocol. Future work on the protocol, they said, will address many people's concerns, although part of the perceived problem is the lack of well-developed "best practices" for associating OpenIDs with users accounts, merging and revoking OpenIDs, and other tasks that are outside the scope of the protocol itself and best left up to the implementer. Willison illustrated the latter fact by pointing out that there is a completely anonymous OpenID provider.
Another audience member raised a more serious issue, asking whether OpenID's security model had been reviewed and vetted by security and cryptography professionals, citing the slide in Willison's presentation that abstracted part of the OpenID authentication process as "then magic happens." Why should we trust this magic, the audience member asked, when new attack vectors still threaten even established, vetted systems like SSL?
Several of the panelists insisted that OpenID should be considered a work in progress, one that would never provide perfect security but should be actively maintained and watched for exploits. Tom said that Yahoo!'s engineering team had examined OpenID and found it to be at least as good as the company's proprietary authentication system, adding "cryptography is not rocket science."
Others asked about domain hijacking of OpenID URLs, privacy, and single-point-of-failure concerns. For some topics, the panel members had concrete answers, for others they did not. At one point Tom declared OpenID "essentially a streamlined reset-password-by-email process." And I found it amusing when, near the end, one audience member asked how many different OpenIDs the panelists had -- and the answers were "four or five," "half a dozen," and "seven or eight."
But it was all in good fun. Culver, after all, wasn't actually taking the gloves off; the panel had asked her beforehand to hassle them during the Q&A. And Kveton's opening remark was "I love OpenID, but it sucks."
There are a lot of misunderstandings about OpenID, some of which are the result of its creators, and some the result of real-world implementations that universally blur the distinctions between identity, authentication, and security. OpenID really only defines the first, but deploying a single sign-on solution involves all three. How to make that clear to the average Web user is the challenge.
In the end, the session probably did not make true believers out of any OpenID skeptics, or vice versa, but it is refreshing to see such an open exchange of questions, critiques, answers, and solutions.