Liquid Media's Apps


In a recent O'Reilly Radar post I learned about OpenID. As most of us are these days, I'm overwhelemed by the number of logins and passwords I have to create and manage across all the sites I visit. In fact, I suspect part of the reason I don't visit some sites at all is because I don't want to go through the effort of managing yet another login. I'm therefore very intrigued by an open identification system that has some traction.

Unfortunately, so far as I can see, OpenID doesn't help things very much. It's vulnerable to phishing attacks and it makes no attempt to prevent spammers from using it. In fact, the latter is probably one of the main reasons many sites (including a substantial number of blogs) require logins! By creating an account (and responding to the requisite "confirm your e-mail address") e-mail, you've created a barrier-to-entry too high for the majority of spammers. OpenID's position is:

Somebody could run their own identity server that says they're all the way to and that's not a goal of this system to prevent. It's another layer's job to say the identities with URL* is a spammer, or some ID server is a known spammer, or some particular identity is a known spammer. on 29-Jan-2007

This position is wholly unequipped to handle untrusted users. The same document states:

This is not a trust system. Trust requires identity first.

The position is fair enough. True trust requires that all parties involved take great care, and that's not particularly realistic, but if OpenID doesn't prevent phishing, and it doesn't do anything to prevent spammers, then what good is it?

It's a shame, because the principles behind OpenID are good: decentralized, free framework, open. It's a pity that OpenID is not equipped to solve any of the internet's contemporary problems.

Tagged authentication, identification, identity, networking, openid, and trust.
blog comments powered by Disqus