I did some reading about OpenID today, after hearing that AOL is now providing OpenID service for all its members. It’s a distributed single-sign-on system, similar in principle to Windows Live ID but not centrally controlled by any single entity. I really like the concept, so I went and created an account at MyOpenID and used it to sign up with several OpenID-enabled services listed in MyOpenID’s directory: stikis, Hampr, Ma.gnolia, and Zooomr. I guess I’m gradually climbing onto the “Web 2.0” bandwagon even though I’m not really all that interested in web development.
When Microsoft introduced “Passport” (the original name of Windows Live ID) back in 1999, I remember being strongly against it, because while I liked the idea of single-sign-on, I didn’t like the fact that it was all under Microsoft’s control. Specifically, I didn’t (and still don’t) like the idea of Microsoft acting as a gatekeeper to other websites that I sign into; they’d have the potential to track their users’ browsing habits and use the data for their own purposes, much like spyware often does. Given Microsoft’s reputation for abusing its power in the market, I felt that the risk was not worth the convenience.
In contrast, OpenID is distributed, which means that I get to choose which company or organization — if any — I want to trust with that information. The trick is that each OpenID “name” actually contains the address of the server responsible for verifying that user’s identity, so different users can use different OpenID servers instead of relying on a single centralized database.
Right now, the OpenID identity I use is “wyzard.myopenid.com”, which is provided for free by the MyOpenID service. When I log into an OpenID-enabled website with this identity, MyOpenID knows about it, and they have the ability to track what I’m logging into, but I’m less distrustful of JanRain Inc. than of Microsoft in this regard, so I consider it an acceptable risk.
However, instead of using “wyzard.myopenid.com” as my identity URL, I could configure this site to return some special HTTP headers pointing to MyOpenID, and use “wyzardry.net” as my identity instead. I’d still be using the same MyOpenID account, but with a different username, so to speak — one which I have more direct control over. (There’s a Drupal module meant specifically for this purpose, to provide those special HTTP headers, but it hasn’t been ported to Drupal 5 yet so I can’t use it yet. I intend to make this change once that module gets updated.)
Later, if MyOpenID is compromised or if I decide I don’t trust them anymore, I can switch to a different OpenID identity provider — either by creating a new account with some other public provider and updating those special HTTP headers accordingly, or by just installing my own OpenID server right here on this site — and I can continue using “wyzardry.net” as my identity. This is a key difference between OpenID and Windows Live ID; it’s analogous to switching phone companies but keeping the same phone number, and it's the source of the flexibility and choice that makes this system so nice.
I’m glad that OpenID seems to be catching on — Microsoft reportedly intends to support it too — and I look forward to seeing it widely implemented in the next few years.