Martin Strandbygaard just gave an introductory talk about openID, at Open Source days in Denmark, Given the recent discussion about openID and security, mostly the phishing opportunities it created I was interrested to hear the talk.
Yes I have an openID, I use it at like 2-3 sites.. why.. because most of the sites haven't adopted yet..
Martin gave an overview of different sites already allowing people to use openID to log on. And also which sites today allow you to create an openid identity with them that you then can use elsewhere. Yes you can use your LiveJournal, or Yahoo Account as an OpenID. I'm not doing that. I'm running my own Open Source Open ID server (funny he didn't touch that subject).
When he continued to discuss adoption he mentionned that even the company from RedMond was starting to allow people to logon with their OpenID , however just an OpenID from a restricted set of OpenID servers.
I asked where on the Yahoo site I could log on using an OpenID, and my fear was confirmed, you can't. So yahoo indeed is promoting OpenID, but why .. so they can see which other services their users are using so they can quickly acquire them ?
And according to Martin different other sites that allow OpenID authentication are gearing towards allowing just a limited set of OpenID services, the ones that they have partnerships with.
Now I don't want to use a 3rd party OpenID server, I have my own.. I want to control my own data. For services that use the above mentionned mode, trusting a limited set of openidproviders, my presonal OpenID is useless. I would once again endup having to sign up with different OpenID servers , which kind of makes the whole idea of not having to keep different username/password combinations around void :(
One of the questions from the audience was about how strong the authentication of an OpenID logon was. fact is that you can make it as strong as you want. If you build an OpenID server you could go with plain text authentication over http, basic authentication over https or even build an authentication system based on a challenge response framework.
The bigger question however is how and what data goes to the OpenID consumer.
So apart from the existing security challenges today , there are a lot of organisatins claiming to support OpenID, while they actually aren't, and that's the first blocking factor for quick openID adoption. And the ones that are adopting aren't doing it open enough.
I fear it was a nice attempt .. but I don't really think it's going to be a big success.
It should have taken of allready ..