OpenID: emerging from web 2.0
David Recorden, Martin Paljak
- Decentralised, lightweight
- reduce the number of usernames and passwords needed online
- supported by lots of geeky tools, and increasing numbers of development toolsets. starting to get penetration in larger service companies.
- end-user tools from sxipper, symantec, verisign.
- Estonian smartcard system – used for all kinds of e-services. Uses openID behind the scenes to manage SSO
- Gives users more control over their identity data. Services only need to get identity, not personal information, so users don’t need to have multiple privacy policies.
- Need the right hardware and software to use it. card + PIN verification
- Developers don’t like it, in part because of the cost of getting an SSL-enabled site (need a distinct IP address and a certificate)
- Mobile-ID: Same data from the smartcard, on a GSM SIM; but the implementation is totally different. Websites allow you to enter a phone number as an ID; you get sent a confirmation text, use a PIN to reply (PIN stays on the phone), can then continue logged in
- Anonymity: anonymity is a priviledge; open.id.ee provides partial anonymity
- OpenID 2: multiple identities. Can have an openID with no personally-identifiable information in the ID. provides anonymity whilst still allowing sites to assert that these are real, unique people.
- Other EU countries deploying openID. OpenID is designed for interop.