openid trust model

Now that I’m starting to see it in practice with new version of WordPress, I’m a bit confused about the trust model of OpenID.  Especially OpenID implemented where any old OpenID server is accepted.

For instance, here on Ed’s blog reporting the unfortunate demise of, you need to be ‘logged in’ to post a comment. One way to log in is to use an OpenID server, any old OpenID server. I happened to remember that this very blog on can now function as an OpenID server. So I enter “” into the OpenID box.

I’m then redirected to a page from that informs me that has asked for identity information, and asks me if I’m willing for that identity information to be shared with  So far so good. But here’s the kicker, it then lets me enter whatever information I want for my realname/email to be shared with I can enter anything I want, and the OpenID server at will dutifully share that identity information with

How is this identity information any more reliable in any way than if the blog just had me enter my info from the start?

I guess’s implementation that let’s you enter arbitrary identity information is a useful reminder that this kind of OpenID use doesn’t in fact give you any more reliable identity.

Although I guess it does do a few things. It does give me a ‘single sign-on’, where I can get an ‘account’ on foreign servers without having to remember yet another password.  Although I’m not too interested in that for random blogs I have no need to have a persistent account on. I guess also, once I’ve set up the openID connection and told my OpenID provider that it’s free to share info with a foreign site, it keeps me from having to type in my name/email/website over and over again to leave subsequent comments on the site. Although cookies and firefox auto-complete have always served me fine there, I guess it’s a slight convenience to have this information ‘saved’ accross my different machines and web browsers.

And, I guess as far as trust, if the foreign blog where I leave a comment (in this case records that my identity was confirmed by the OpenID server at, then it says that the owner of authorized the commenter to identify him or herself as… whatever arbitrary thing they typed in. I guess that is some kind of additional information useful to determining trust.

So I guess it does provide something. But I have a feeling that some people who don’t think this through are going to think OpenID used in this way is providing more than it really is.

[ An OpenID-consuming service which restricted users to using only certain OpenID identity servers, which were trusted by the service, that would be providing some level of trust.]


4 thoughts on “openid trust model”

  1. Yup, OpenID is just the start of something interesting here.

    It lets you link your online actions to long-lived or transitory accounts. In this case, by posting from an OpenID that is your blog, a fairly simple check gives interesting metadata:


    This used the Perl module for checking google pagerank. Using pagerank alone would be regretable; but it is one of several datasources available.

    Here is the Google Social Graph API results:

    They seem to think you’re Ian Davis. I guess you’re not. Oopsie.

    Garlik’s QDos doesn’t find anything either –

    Sindice finds a few hits but I’m unsure how to interpret them. Perhaps they could be taken as evidence that you’ve previously made posts that were accepted past human spam filters.

    Other possible ingredients might include evidence that you’ve posted successfully to wikis from this OpenID, or that people list it (or linked accounts) in their buddylists (via FOAF, XFN etc.).

  2. Although thinking yet more about this, I’m again even more confused/skeptical.

    The only way OpenID can work like Dan describes, to tie all my various actions to a single identity—is if the viewer can _trust_ that everyone identifying themselves as an OpenID URI really is authorized to do that. But there’s no method for a _third party observer_ to verify that built into OpenID. Ed’s blog verifies that I’m authorized to use the OpenID before allowing me to do so, sure. But as a third party observer, I’ve got to just trust that Ed’s blog does that. If I’m using things like google pagerank to get aggregate data about every place an OpenID URI has been used—I’ve just got to trust that the owners of ALL of those places appropriately verified OpenID use.

    I’m still confused about the trust model going on here.

  3. Multiply the amount you trust my blog/wiki to be sensibly configured, by the “isn’t a spammer” rating implicit in whatever data you find about it in my blog.

    If you think I’ve probably done no checks, anything I say gets a zero. If you think I run a paranoid, battlehardened anti-spam site, then if I republish a user comment, chances are that it checks out as from a human.

    I’m not proposing a precise algorithm here, just suggesting we’ll start to see this kind of evidence-oriented calculation emerge…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s