Tuesday, May 6, 2008

Open to suggestions

I've been playing around with OpenID a little lately. It's an open authentication protocol started by the guy who created LiveJournal, Brad Fitzpatrick, that... well, to say it “de-centralizes” the authentication heirarchy isn't quite right; more like it re-centralizes it in my (and your) favor.  

Every new site that comes around, it's the same thing: username, name, DOB, vital statistics, email address, email address again, confirmation email to activate.  Besides the fact that it's just tedious, who really wants to give out all that personal information just to look at pictures of baby bears in cute hats or to post a single comment on a blog you'll never read again*?  Without getting too deep into the guts of the process, OpenID's big idea is to replace those accounts with a single guarantor; just provide the URL and let it vouch for your identity.  It's done securely and elegantly, and, since the method of authentication is strictly between you and your OpenID Provider, it's very flexible.

Adoption around the web has been picking up momentum, although, to be fair, the bigger sites have put in slightly more effort as providers than they have to accepting OpenIDs.  I'm looking at you Flickr Yahoo Microsoft Yahoo!  It's great that there are a lot of options out there, since you can maintain a consistent identity URL even if you change providers.  Basically you can point to your provider in the header of your own web page and use your own web page as your URL.

But why go with a provider at all?  If handing out private information to everybody is bad and handing it out to just one site is better, keeping it, well, private should be best.  This is where OpenID really appeals to me, because choosing my own provider means I can choose my favorite provider: me!  Why shouldn't I be the ultimate arbiter of my identity online?  

So, I was led, via a tutorial by Sam Ruby, to a very lightweight OpenID server called phpMyID.  The Sam Ruby tutorial is a little out of date now, but the documentation that comes with phpMyID really has all you need to know to set it up on your web server.  It's single-user only, but you can get around that by just putting it in two different directories on your server.  I set up two subdomains to keep the URLs memorable, http://anne.edison-albright.com and http://sean.edison-albright.com.     

The whole thing raises a question for me, on which I welcome your input.  I'm starting to test out OpenID on sites where I don't have or don't maintain a membership, like LJ.  (Speaking of which, I'll be re-friending people as sean.edison-albright.com, please reciprocate!)  But what about sites where I have an active presence?  I'd love to have a consistent identity across the web, but that would mean, among other things, commenting on this blog with a different identity than I use to update it.  The ideal solution would be to allow me to bind my OpenID to those existing accounts, to create a hard association between this blog's id, novelgazer, (which is ultimately tied to a Google identity) and my OpenID in some sort of semipermanent way.  Some sites, but seemingly very few so far, allow this.  So, until sites start offering the option, if they ever do, what's the best strategy?  

*(And what will UrsiKnittr.com do with my bloodtype when they're bought by Rupert Murdoch?)

No comments: