OpenID: an actually distributed identity system
This is a distributed identity system, but one that’s actually distributed and doesn’t entirely crumble if one company turns evil or goes out of business.An OpenID-enabled site/blog lets you authenticate using your existing login from your homesite (whether that’s on your own server or a hosted service) without giving away your password to the 3rd-party site you’re visiting, or making a new account there, or giving away your email address.
And it’s secure, and can run entirely in the browser without extensions, without moving between pages.
* A lot of other distributed identity systems aren’t actually distributed, having one or more parts centrally controlled.
* Logging in to a dozen websites every day is lame.
* Sites that let you enter your name/URL/email/etc and show it without verifying you’re you are lame.
* You should be able to keep one (or more) identities over time that stay fixed, regardless of what services are still in existence and you still use a few years down the road.Why not _______?
* Passport — Centralized registry. Not everybody trusts Microsoft to control their identity.
* TypeKey — Centralized registry. Not everybody trusts SixApart to control their identity. (But if you already use TypeKey, there’s a good chance a future version of TypeKey will also be an OpenID server… I’m pushing for it at least, and volunteered to do the work.)
* Sxip — kinda distributed, but homesites have to register, and SPOF is the sxip.net DNS staying in existence.
* SAML — We’d like to use the parts of SAML (from the Liberty Alliance) that are appropriate, but the spec as a whole isn’t an answer. Part of our OpenID requirements is that there’s an AJAX version, which means the only type of RPC request we can do from the client to a remote host is a javascript or iframe’d request, and not everybody chooses to require SSL, which means the SAML bindings as-is won’t work in that case, and we’ll have to use our own JavaScript SAML wrapper at least in that case.Who owns this?
Nobody should own this. Nobody’s planning on making any money from this. My goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community. If something like this already exists and I don’t know about it, do let me know. My goal isn’t to reinvent the wheel… just find something that everybody can easily use. Update: Thanks for the pointers! We’ve got at least two other people from similar projects on the mailing list, one of which was nearly identical to this system (mIDm) and had a similar outlook: he wanted something to just work, regardless of who made it, so he’ll be helping us out.