[LINK] Open ID?

Markus Buchhorn markus.buchhorn at anu.edu.au
Fri Mar 30 11:36:23 AEST 2007 

Hi Eric

At 10:45 AM 30/03/2007, Eric Scheid wrote:
>quoting <http://openid.net/>
>
>> What is OpenID?
>> 
>> OpenID starts with the concept that anyone can identify themselves on the
>> Internet the same way websites do: with a URI (also called a URL or web
>> address). Since URIs are at the very core of Web architecture, they provide a
>> solid foundation for user-centric identity.

I'm already worried :-) URIs are not URLs and vice versa.

>I'm considering implementing support for this in a project soon. I'm
>reasonably up to date on the technical issues, but figure that LINK would
>have some relevant opinions on this too.

For my two bits, I'd have to ask how this sits alongside existing major efforts like Shibboleth and Liberty Alliance, and all of the development work on major standards like SAML (which has OASIS sign-off). 

It seems like the principles are very similar, i.e. you use an identity provider to host and assert your credentials to anybody that asks. 

However, SAML and Shib are very very rich, and I don't know I see that in openid? In Shib you can have an unbounded number of highly-trustable identity providers (how do I build trust in a 3rd party hosted IdP?), you can have very secure trust relationships between IdPs and service providers, you can build single-sign-on and single-sign-off, you can peer trust federations, you have a very robust privacy framework and policy support (Roger, you reading this?), and can develop more and more buzzwords phrases like you wouldn't believe :-) I don't see those things in openid, admittedly on a very quick glance through their doco. I do see some discussion in their attribute exchange specification which covers some privacy aspects, and they gave a talk to a liberty alliance meeting, so they know that world exists. I do see some verisign involvement, which is interesting.

Shib and SAML have been major efforts for many years, and are now seeing global takeup, initially in the higher-ed sector, and some government agencies are looking at it. There is certainly talk of national and international trust federations, and they will most likely build on standards like SAML, which also have a lot of corporate backing (including the usual suspects who normally don't!).

I don't see openid as the de facto standard, but do see them in a few sites. We have over a million people in Australia alone registered into a shib framework already (even if they don't realise it), the UK is adopting it for their entire higher-ed (and lower-ed?) sector, and the US is ramping up very quickly.

OTOH, openid might be a nice lightweight way to build something similar with a lot less effort - if you understand the things you are giving up for that convenience. If openid was saml-based I'd be a lot more comfortable, and maybe it is in parts - but it's not made obvious? Are they reinventing the saml wheel? Don't know. 

A search for shib and openid together turns up some sites with contrast discussions; worth reading, but it does get techy very quickly if you're not into this kind of space.... It does seem like openid is aiming for the lightweight, less "crucial" end of the scale of needs, where shib may be overkill (though it's also poorly understood n many places).

[For the seriously inclined you might also want to look at SASL and XACML as other emerging key standards in the authentication and authorisation space; xacml allows you to express complex policies in xml, and sasl allows you to build secure IP tunnels through an arbitrary authentication process, including Shib, and probably openid.]

Cheers,
        Markus

More information about the Link mailing list