http://simonwillison.net/2008-06-24T08:12:23+00:00Simon Willison2008-06-24T08:12:23+00:002008-06-24T08:12:23+00:00https://simonwillison.net/2008/Jun/24/openid/#atom-tag

<p>TechCrunch report that <a href="http://www.techcrunch.com/2008/06/23/microsofts-first-step-in-accepting-openid-signons-healthvault/">Microsoft are accepting OpenID</a> for their new <a href="http://www.healthvault.com/">HealthVault site</a>, but with a catch: you can only use OpenIDs from two providers: <a href="http://www.trustbearer.com/">Trustbearer</a> (who offer two-factor authentication using a hardware token) and Verisign. "Whatever happened to the <em>Open</em> in OpenID?", asks TechCrunch's Jason Kincaid.</p> <p>Microsoft's decision is a beautiful example of the Open in action, and I fully support it.</p> <p>You have to remember that behind the excitement and marketing OpenID is a protocol, just like SMTP or HTTP. All OpenID actually provides is a mechanism for asserting ownership over a URL and then "proving" that assertion. We can build a pyramid of interesting things on top of this, but that assertion is really all OpenID gives us (well, that and a globally unique identifier). In internet theory terms, it's a <a href="http://en.wikipedia.org/wiki/Dumb_network">dumb network</a>: the protocol just concentrates on passing assertions around; it's up to the endpoints to set policies and invent interesting applications.</p> <p>Open means that providers and consumers are free to use the protocol in whatever way they wish. If they want to only accept OpenID from a trusted subset of providers, they can go ahead. If they only want to pass OpenID details around behind the corporate firewall (great for gluing together an SSO network from open-source components) they can knock themselves out. Just like SMTP or HTTP, the protocol does not imply any rules about where or how it should be used.</p> <p>HealthVault have clearly made this decision due to security concerns - not over the OpenID protocol itself, but the providers that their users might choose to trust. By accepting OpenID on your site you are <em>outsourcing the security of your users</em> to an unknown third party, and you can't guarantee that your users picked a good home for their OpenID. If you're a bank or a healthcare provider that's not a risk you want to take; whitelisting providers that you have audited for security means you don't have to rule out OpenID entirely.</p> <p>I have a very simple rule of thumb for whether or not a site should consider whitelisting OpenID providers: does the site offer a "forgotten password" feature that e-mails the user a login token? If it does, then the owners have already made the decision to outsource the security of their users to whoever they picked as an e-mail provider. If they don't (banks are a good example here) they should continue that policy decision and consider using an OpenID provider whitelist.</p> <p>I've been using the example of banks potentially accepting OpenID only from security audited providers in my <a href="http://simonwillison.net/talks/openid/">talks on OpenID</a> for at least the past year. Now I can finally provide a real-world example.</p> <p>Tags: <a href="https://simonwillison.net/tags/dumbnetworks">dumbnetworks</a>, <a href="https://simonwillison.net/tags/healthvault">healthvault</a>, <a href="https://simonwillison.net/tags/microsoft">microsoft</a>, <a href="https://simonwillison.net/tags/open">open</a>, <a href="https://simonwillison.net/tags/openid">openid</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/techcrunch">techcrunch</a>, <a href="https://simonwillison.net/tags/trustbearer">trustbearer</a>, <a href="https://simonwillison.net/tags/verisign">verisign</a></p>