Web Forefront

What is interesting about OpenID is that there is no central authority to manage credentials -- like Passport done by Microsoft or blogging systems which have their own central authority -- in essence you are free to park your identity on a third party server or your own.

Identity management in OpenID is done through URL's, which are later used as your credential's to prove your identity to any site that supports OpenID. The actual use of something other than an email as an identity -- such as a URL -- is nothing new, since multiple weblog platforms offer such approaches, it's the decentralized design of OpenID that makes it different.

There is however something that OpenID does not tackle : Trust. Having the capability of storing your credentials where ever you want may give you a sense of control, but it brings up the possibility of rogue users replicating this same information. In other words, identity service brokers -- websites -- have to take your word that your are who you say you are, since there is no central authority they can trust to tell them otherwise, hence, in the case of malicious users, its simply your word against theirs.

Although the use of a central authority is paramount to trust, and is the basis for other widely distributed Internet services like web certificates (SSL), OpenID clearly states it's not a trust system, but simply a decentralized identity system.

Whether or not OpenID will gain the necessary traction to be widely deployed on websites is yet to be seen, but its a step in the right direction offering a truly decentralized identity system, even if it lacks a trust layer in its design.

Update: A little bit over two years -- Jan '07 -- after this original entry , seems OpenID has hit the mainstream: Yahoo has adopted the technique http://openid.yahoo.com/ , and there is talk of IBM, Google and Verisign also taking similar OpenID steps.