Authentication Requires Trust
I was reading Aswath’s post on OpenID today and I realized the fundamental flaw with it: that anyone can create an authentication server to validate your request. While that’s fine and dandy from a lack of vendor lock-in point of view, from an authentication point of view, it’s horrible. What’s worse, is that there is no trust built into the model. Even the How This Works page at OpenID says it!
To me, authentication and identity go hand in hand. You can’t prove identity without authenticating it and you can’t use someone authentication with your identity. Try using someone else’s login and your password to get onto a website. Does it work? If it does, you both picked really bad passwords!
The closest analogy I can think of to OpenID is PGP. PGP is an encryption standard that relies on asymmetric encryption with public and private keys. Like with OpenID, there is no central certifying authority. However, PGP has a sort of “web of trust” model where participants in the system “sign” each others keys. The idea being, I trust that it’s Bob’s key that I received because Alice signed the key, and I trust Alice.
OpenID creates a situation where I could set up my own OpenID server and say “I assert that PhoneBoy is who he says he is.” In other words, I’m saying “I am who I say I am because I say so.” How do you know my word is good? At least PGP gives you a mechanism by which to make a decision about whether or not to trust a particular encryption key is valid. It’s certainly not perfect, but it’s better than no trust mechanism at all, which is exactly what OpenID has.
Am I overreacting to this or am I right?