Sun Tests the Waters With OpenID Over Tim Bray's Objections

The promise of the OpenID system is to enable an individual to essentially have his or her user account recognized by multiple Web sites - a single sign-on for a community of content providers. This while at the same time providing central repositories for that identity, that can serve as a certification center. Yesterday, Sun Microsystems announced its intention to begin experimenting with OpenID by establishing one of its own trust providers for its 34,000 employees.

This, while at the same time, Sun's own high-profile director of Web technologies, Tim Bray, continues to poke holes in the system's execution, enumerating what he perceives as fundamental flaws on his personal blog. One such problem with an OpenID, Bray puts it, "is that, well, having one doesn't mean very much; just that you can verify that some server somewhere says it believes that the person operating the browser owns that ID."

Last February, Sun's own developer's blogs passed along a video distributed on YouTube depicting the creation and use of an OpenID. At its core, it's an arbitrary username that will associated with a universal resource identifier (URI). That URI serves as the certifier for that username, responding when queried that the username does indeed exist. That username is reserved using a simple password.

And that's it. OpenID is not, as doomsayers have jumped to conclude, a universal identification system for names, addresses, and personal identification numbers. In fact, it's just the opposite: a way for an independent server to verify the existence of a username, which need not necessarily correspond to anyone's identity.

As the OpenID Foundation responds in one of its Web site's FAQs, "This is not a trust system. Trust requires identity first."

But tell that to Sun, whose OpenID support announcement yesterday included the following: "In order to explore the boundaries of OpenID as a trust system, Sun is offering an OpenID Provider service to its 34,000 employees. People using Sun-based OpenID identifiers at an OpenID-accepting website can convey in this simple and secure manner that they are indeed Sun employees, a piece of information that can enable access to employee discounts and unlock other special services all across the web."

Last February, after the news sharing site Digg implemented its support for OpenID, Microsoft joined in as well, announcing it would work to integrate its CardSpace certification system with the open-source specification. CardSpace integrates with Windows Active Directory, and authenticates explicit user profiles.

So is OpenID a profile authenticator or isn't it? According to the Foundation's documents, the answer is a definitive "maybe not." Right up front, the specifications suggest that OpenID is designed to be integrated into others' profile management systems, without mentioning Microsoft's by name: "The OpenID Authentication specification does not provide any mechanism to exchange profile information, though Consumers of an Identity can learn more about an End User from any public, semantically interesting documents linked thereunder (FOAF, RSS, Atom, vCARD, etc.). Extensions are being built on top of the foundation created by OpenID Authentication to provide mechanisms to exchange profile information."

The principle here is that OpenID doesn't represent user profiles, though it can vouch for someone else whose profile is stored someplace else, and which lists a URI that happens to be registered with an OpenID server.

And who gets to be an OpenID server? As Tim Bray discovered, literally anyone. "Unless I'm missing something," he wrote, "as a thought experiment I could set up a bogus OpenID server at http://www.tbray.org/silly-id/, and arrange that when queried about any OpenID whatsoever beginning with that URI, it instantly provided a positive response. For example, http://www.tbray.org/silly-id/BillGates or http://www.tbray.org/sill-id/PopeBenedictXVI. None of that nasty time-consuming authentication stuff."

All of which leads to perhaps the chief concern of the system's critics, and even one of its more vocal proponents: the possibility that OpenID would open up a Web-wide phishing expedition, with a capital "p."

One solution posited by developers is tying OpenID into a truly centralized repository of already ascertained identity, such as Yahoo's. But in so doing, that might make the integrity of the entire OpenID framework as reliable as that of Yahoo. If the integrity of OpenID then breaks down, would Yahoo be to blame?

Tim Bray suggests that OpenID could potentially become useful in a system where the problem of authenticating content was already solved. That might happen, in a world and on a Web where transport layer security (TLS) was the order of the day.

"Just Do It," Bray suggests. "Create a culture where traffic is simply expected to be encrypted and secure for each step in the authentication chain. If there's anything in the protocol that makes this hard, fix it. Yes, anyone offering authentication services will have to own and manage a [certificate]. That is the entry-level price for me taking you seriously."

Yesterday, Sun said it will now determine how to adapt its various servers for OpenID support "in an appropriate manner." That manner, the company implied, included integration with what it's calling OpenDS, "the open-source project that is providing Sun's next-generation directory services." That would place Sun's OpenID integration project in competition with Microsoft's for CardSpace...and that might explain why Sun is willing not to wait for the world to change and adopt TLS, before testing OpenID for itself, for whatever it might be worth.