So this morning I wake up to this post by Stefan Brands ragging on OpenID. While he has raised some valid concerns, he seems to have been happy writing a slam piece while ignoring the work which is underway to resolve them. I'm amused that his conclusion is,
OpenID is pretty much useless considering OpenID continues to see amazing adoption by large companies like VeriSign, AOL, SUN, Daum, Reebok, Novell, Sony adding to adoption by the Web 2.0 and Open Source worlds with companies and projects like Technorati, Six Apart, WordPress, Ma.gnolia.com, 37Signals, 43Things, Plaxo, Plone, Drupal, Rails, etc. MyOpenID.com also maintains a directory of a fraction of the about 5,000 enabled OpenID Relying Parties which continues to grow by about twenty sites every day! Maybe all of those sites and projects are "useless", but last I checked they power a large part of the Internet.
Yes, phishing is a problem with PayPal, Google AuthSub, Yahoo! BBAuth, AOL OpenAuth, and OpenID. All of these protocols start with a user at a potentially un-trusted site then being redirected to a trusted site where they are supposed to enter their credentials. While OpenID may make this worse, it does allow for an easier method to better protect your account(s) compared to email today where if someone were to break into my GMail account they could use "forgotten password" links to compromise all of my accounts. In this case I have no option but to only use a password when logging into my email provider whereas many OpenID providers are already showcasing alternative stronger means.
As Stefan seems to have forgotten to quote, Kim Cameron continues:
We can eliminate this attack if the user employs Cardspace (or some other identity selector) to log in to the Identity Provider.
So is this just like saying,you can fix OpenID if you replace it with Cardspace? Absolutely not. In this proposal, the relying parties continue to use OpenID in its current form, so we have a very nice lightweight solution. Meanwhile Cardspace is used at the identity provider to keep credentials from being stolen. So the best aspects of OpenID are retained.
As one example, VeriSign has already integrated managed Information Cards into the Personal Identity Provider allowing users to use CardSpace with their OpenID accounts. This is in addition to the integration with the VeriSign Identity Protection network that allows the use of hardware one-time password tokens sold by companies like PayPal.
This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. Why else would Verisign be in this game, for example? Or, indeed, Microsoft? Or IBM, HP and T-Mobile?
Finally, if I might go all Slashdot on you for a moment, from the light-at-the-end-of-the-tunnel department, David Recordon of Verisign Labs (and an editor of the OpenID specs) sayswe'd love to spend time working with you to figure out what it would take to resolve your issues with the spec. With that said, I really do think that it will come from browser plugins and such.which is nice. I will accept.
Stefan also ignores work to make this happen such as the OpenID SeatBelt Firefox add-on which VeriSign developed and integrates with multiple OpenID providers beyond just their own, including AOL, MyOpenID.com, XLogon.net.
Stefan goes on to quote Eugene and Vladimir Tsyrklevich in a recent Black Hat presentation, though blatantly ignores their conclusion of:
Whilst this paper has presented a number of attacks against OpenID, it still remains the only viable option for the Internet-wide SSO system. Some of the attacks presented are either partially solved already or can be solved with relative ease. Other attacks such as phishing and the redirect attack require further thought. However, it is our belief that OpenID can be made secure.
Unfortunately it only goes down hill from here. Stefan quotes Allen Tom around concerns he has with OpenID 2.0. Stefan fails to point out that the email he quoted is from May and all of the issues Allen raised have been resolved in the latest draft of OpenID Authentication 2.0 since Allen worked with the community to resolve them.
Stefan then concludes his slanted discussion of OpenID security issues with,
Note: this is exactly what Credentica's technology does.
While I could go on with the rest of the FUD in his post, I'd rather ask why he feels it is better to rag on OpenID than act like the people he quotes including Kim Cameron, Ben Laurie, the Tsyrklevich brothers, and others who are working with the OpenID community to help resolve these issues? Especially in Kim's case where the technology he has created can help to resolve these concerns. Considering Stefan says Credentica's technology could be another possible solution to these problems, why isn't Stefan instead working to make that a reality?