Yahoo to embrace OpenID standard for validating users
In a move that will apparently open up its quarter-billion-user database to cross-platform username validation across Web sites, Yahoo announced this morning it is embracing the Web's most endorsed open validation standard.
"All Yahoo IDs will be OpenIDs on January 30," a Yahoo spokesperson confirmed to BetaNews late this morning, in a change-over that may elevate the whole issue of users' online identities to a new level.
Yahoo is calling its embrace of OpenID this morning a breakthrough in the field of Web user identity. Over the next few months, other Web sites that employ OpenID 2.0 validation, including all those not necessarily hosted by Yahoo, will be able to look to Yahoo as a validator of usernames.
What this means is, sites that employ their own databases of users would be able to rely on Yahoo as a repository for validating the existence of someone's digital identity. BetaNews doesn't use OpenID at present, but if we did, you'd be able to sign on here using Yahoo's URL as a backup (www.yahoo.com). The system would then look up your username against Yahoo's database rather than our own, using OpenID's protocol for cross-site validation requests.
The benefit for Web users, Yahoo believes, will be that you can set up one identity for yourself on Yahoo's servers, and then use that identity multiple places elsewhere. While this wouldn't exactly be "single sign-on" (you'd still be logging on elsewhere), you may not need to register your name, address, and other identifying information with other content providers that are willing to trust Yahoo, if you've already registered there once already.
"Once you enable your Yahoo account for OpenID access, you can simply tell any OpenID enabled web site that you are a Yahoo user," reads a placeholder page that will become Yahoo's beta site for OpenID services on January 30. "You will be sent to Yahoo to verify your Yahoo ID and password and then signed in to the web site. It's that easy!"
For Web site proprietors, the OpenID Foundation already provides services that enable them to add free code to their pages that enables the validation protocol. That code makes those sites into relying parties (RPs). Yahoo's spokesperson told us today that it will also be extending code to prospective RPs as well, enabling them to implement what will still be called "Yahoo IDs."
In addition, it will offer code to Web sites to enable them to show a seal of validation for users whose IDs are validated through Yahoo.
What today's announcement does not mean is an automatic sharing of users' identifying data between Yahoo and OpenID-compliant sites. Yahoo's spokesperson confirmed to BetaNews today that, at least on January 30, there will be no sharing of users' profile information between sites that employ OpenID and Yahoo.
Though Yahoo's own announcement refers to OpenID as an "authentication standard," from a technical standpoint, that's not what OpenID does. Specifically, it doesn't verify that you are who you say you are when you log onto a Web site. Though developers with the OpenID Foundation have expressed interest in providing tools to help authentication services and certification tools to use OpenID, they tend to distance themselves from that aspect of validation.
And while the Foundation has said it is actively building a way for sites to exchange profile information, in almost the same breath, it says that OpenID itself is not a means for doing that.
A "Potential Future Projects" page published by the Foundation currently includes the following: "While we don't necessarily want to get into the formal certification boat, this is likely to be useful for RP implementers [services that support OpenID relying parties] and OpenID directory services."
Yahoo's spokesperson told us that while no profile information from Yahoo's database will be shared between it and RPs, the company may in the future give users the option to enable users to allow RPs to retrieve profile data. In that regard, Yahoo ID could then become a "register-once" service that gives participating sites access to Yahoo's database of 248 million customers, by its current count.
And since the protocol is, as they say, "open," some are concerned that kind of access may be a tricky thing to secure in the future.
One of the principal complaints about OpenID protocol until recently has been that it takes place essentially in the clear, using HTTP transport. Developer Tim Bray -- whose own employer, Sun Microsystems, is an active OpenID developer and proponent -- has expressed his skepticism on numerous occasions about the reliability and safety of an open mechanism with open access to a database people may wish weren't so open.
But Yahoo's spokesperson told BetaNews today that one reason Yahoo was eager to get behind the 2.0 version of the specification was that it will use SSL to secure the channel between the RP and the OpenID provider (OP).
If Yahoo's implementation of OpenID uses SSL, it could actually drive more OpenID providers to do so as well, especially since, as we discovered today, the 2.0 protocol document actually does not mandate that SSL be used in the validation transaction.
"In order to get protection from SSL, SSL must be used for all parts of the interaction, including interaction with the end user through the User-Agent. While the protocol does not require SSL be used, its use is strongly RECOMMENDED," reads the current 2.0.11 implementers' draft. "Current best practices dictate that an OP SHOULD use SSL, with a certificate signed by a trusted authority, to secure its Endpoint URL as well as the interactions with the end user's User-Agent. In addition, SSL, with a certificate signed by a trusted authority, SHOULD be used so that a Relying Party can fetch the end user's URL in a secure manner. Following its own security policies, a Relying Party MAY choose to not complete, or even begin, a transaction if SSL is not being correctly used at these various endpoints."
All of a sudden, Yahoo will become the single largest implementer of OpenID anywhere in the world, with perhaps as much as two-thirds of its entries. Will this change the status of Yahoo within the OpenID Foundation? Yahoo's spokesperson declined to speculate, though a message this morning from the foundation's chairman, Scott Kveton, posted to Yahoo's corporate blog suggests more than just a change of atmosphere.
"I have never met a more committed set of people focused on doing 'the right thing' all the time," Kveton wrote. "In the coming months, the community will continue to formalize around the OpenID Foundation. It's the home of OpenID and a place for this community to thrive."