Now that I’m starting to see it in practice with new version of WordPress, I’m a bit confused about the trust model of OpenID. Especially OpenID implemented where any old OpenID server is accepted.
For instance, here on Ed’s blog reporting the unfortunate demise of lcsh.info, you need to be ‘logged in’ to post a comment. One way to log in is to use an OpenID server, any old OpenID server. I happened to remember that this very blog on wordpress.com can now function as an OpenID server. So I enter “https://bibwild.wordpress.com” into the OpenID box.
I’m then redirected to a page from wordpress.com that informs me that lcsh.info has asked for identity information, and asks me if I’m willing for that identity information to be shared with lcsh.info. So far so good. But here’s the kicker, it then lets me enter whatever information I want for my realname/email to be shared with lcsh.info. I can enter anything I want, and the OpenID server at wordpress.com will dutifully share that identity information with lcsh.info.
How is this identity information any more reliable in any way than if the lcsh.info blog just had me enter my info from the start?
I guess wordpress.com’s implementation that let’s you enter arbitrary identity information is a useful reminder that this kind of OpenID use doesn’t in fact give you any more reliable identity.
Although I guess it does do a few things. It does give me a ‘single sign-on’, where I can get an ‘account’ on foreign servers without having to remember yet another password. Although I’m not too interested in that for random blogs I have no need to have a persistent account on. I guess also, once I’ve set up the openID connection and told my wordpress.com OpenID provider that it’s free to share info with a foreign site, it keeps me from having to type in my name/email/website over and over again to leave subsequent comments on the site. Although cookies and firefox auto-complete have always served me fine there, I guess it’s a slight convenience to have this information ‘saved’ accross my different machines and web browsers.
And, I guess as far as trust, if the foreign blog where I leave a comment (in this case lcsh.info) records that my identity was confirmed by the OpenID server at https://bibwild.wordpress.com, then it says that the owner of https://bibwild.wordpress.com authorized the commenter to identify him or herself as… whatever arbitrary thing they typed in. I guess that is some kind of additional information useful to determining trust.
So I guess it does provide something. But I have a feeling that some people who don’t think this through are going to think OpenID used in this way is providing more than it really is.
[ An OpenID-consuming service which restricted users to using only certain OpenID identity servers, which were trusted by the service, that would be providing some level of trust.]