Eating My Words on OpenID
Between a private email from Aswath and other posts on OpenID, I have reconsidered my opinion on this. It may not be such a bad thing after all.
What really hit me in the shower this morning was how much OpenID was like SSL certificates. As you may or may not know, an SSL certificate is used when communicating with a website security. SSL certificates can be used to authenticate the server you are talking to. Conversely, you can also use SSL certificates to authenticate yourself to the website, though that use is less common.
What’s cool about SSL is that anyone can make an SSL certificate. It does require the right tools, of course, but it can be done. Part of creating an SSL certificate is the signing process. An SSL certificate must be signed by someone–referred to a a signing authority–authenticating that it is your certificate. What makes SSL more or less transparent to end users is that the signatures of several common signing authorities are included in your web browser. That way, when you by that used fuzzy bathrobe on eBay or that cool computer upgrade from NewEgg, “it just works.” You see the little lock icon in your browser, you know it’s safe.
Of course, anyone can sign an SSL certificate. You can even sign it yourself if you’d like. When you hit a website with an SSL certificate signed by someone not in the browser, you get a rather confusing dialog saying “this website’s certificate is signed by someone you don’t trust.” Pity the poor, uneducated end user who has to make that call. For a test server or a server accessed by relatively few people, a self-signed certificate might be okay. For mass-marked sites, however, you’re better off paying the Verisign Tax and getting a properly signed SSL certificate.
Unlike with SSL certificates, the onus of deciding whose OpenID server to trust is moved to the operator of the website. One would hope that website operators are a little more intelligent about these things, but it’s still going to be a process that will have to get worked out. I think what will ultimately happen is that there will be a handful of OpenID “servers” that everyone will trust. Anyone will be able to set up their own OpenID server, but the default will be not to trust them and the website operator will have to make a choice to trust it or not.
While I agree that OpenID is certainly open, I see OpenID evolving in much the same way as SSL certificates have. What this ultimately means is that while anyone can create an OpenID server, there will only be a handful of servers that will be widely trusted.