The Problem

If I want to comment on an article at the New York Times website, I need to first set up a user name and password with the site. The same is true if I want to set up a blog at WordPress.com or upload photos to flickr. Like many people, I have several different usernames and passwords, accumulated over the course of years of Internet use. It would be nice to have a single username and password that could be accessed by multiple sites.

The OpenID Solution

OpenID, a means of establishing one username and password that can be applied to multiple sites, has been gaining traction. AOL, France Telecom, MySpace, Sun Microsystems, WordPress, Yahoo! and many other entities are now OpenID providers. AOL users, for example, automatically have an OpenID to match their AOL account name. Thus if Jane has the AOL account name talentedlawstudent the OpenID for her AOL account is http://talentedlawstudent.aol.com/. Other OpenID providers like sxipper.com provide free OpenID registration for people who do not have accounts with AOL, WordPress, or other service providers. Once a user creates an OpenID account, it may be used to login to any site that supports OpenID.

When our hypothetical AOL user Jane goes to wonderfulsite.com, a previously unvisited site that supports OpenID, she can log in with her OpenID account. After she enters her OpenID username and password, the site sends a request to AOL for the URL http://talentedlawstudent.aol.com. AOL’s OpenID server sends a reply, and Jane now has an account at the wonderfulsite.com.

Open ID Is Not A Personal Identity Mechanism

There has been a great deal of controversy about OpenID, in part because of differences of opinion among the security crowd, and in part because of expectations that OpenID might someday become an online identity panacea. The technical arguments about OpenID as it exists now are important, but when analyzing OpenID in the context of Internet policy, it is perhaps more valuable to look at the goal of OpenID.

Kevin Fox of OpenID provider JanRain describes the problem OpenID was designed to solve:

The problem of ‘too many user-names and passwords to remember’ and associated symptoms of social network fatigue (SNF), including irritation with continually entering the same personal info (date of birth, gender, etc.) and inability to easily move your online profile around with you to the different sites you visit.

OpenID is a technology aimed at making site access more convenient for users. It can tell a website that a given user-created identity is returning to the site. But it is not designed to establish a trust relationship between a website and the person using OpenID. I can create an OpenID account with a username of Santa_Clause, and use that OpenID on all the sites I visit. I can also create another OpenID account with a username of PresidentGeorgeWBush. OpenID in no way limits pseudonymous Web use, nor does it verify a person’s actual human identity.