Insights from Inside

OpenID: The Latest News About Today's Hottest Identity Topic

By Eve Maler
Sun Technology Director in Business Alliances

OpenID is one of the hottest topics in identity today. Earlier this summer, InformationWeek published a story on OpenID and other digital ID frameworks, noting that millions of people have OpenIDs available to them today to streamline the way they identify themselves on the Web. This article will answer three fundamental questions about OpenID: What is it, why does Sun care about it, and why should you?

What Is OpenID?
In a nutshell, OpenID is a decentralized framework for digital identity that allows users to have one consistent identifier across lots of different Web applications, instead of a hundred different ones for different destinations online. A number of "Web 2.0" sites, such as the Ma.gnolia.com bookmarking service, are beginning to accept this new login method.

Here's how OpenID works in its simplest form: A user signs up with an OpenID provider to get a unique identifier (basically a Web address, or URL), and can then use that identifier as a username at any participating OpenID consumer Web site. The consumer site uses the identifier to route the user to the provider who issued the OpenID, which then confirms for the consumer site that the user associated with that identifier can authenticate him or herself.

The OpenID system also allows the provider, with the user's authorization, to share selected pieces of user information with the consumer site (for example, the user's time zone and date of birth).

While OpenID may provide an easy on-ramp for simplifying the sign-on process, and may be attractive to new Web applications and communities, the very features that make it lightweight and easy to adopt also make it less well suited to higher-value transactions. For example, all user information that is shared through OpenID today is "self-asserted." In other words, there's no way to ascertain that the user didn't just make it up.

That decreases its value to consumer sites that need more assurance, such as hospital systems for which self-asserted "doctor" status won't be good enough. Also, the freedom with which OpenID allows providers and consumers to communicate, without having negotiated a relationship beforehand, limits the trust that any one party — including the user — can place in any of the others. This presents special security risks.

Trust and security are the weakest links in the OpenID chain. And that's where Sun comes in.

What's the Connection Between Sun and OpenID?
Sun has launched a unique OpenID provider at http://openid.sun.com. Sun's provider is built on the latest of Sun's Open Source Identity Management projects; these include OpenSSO, on which the Sun Java System Access Manager and Federation Manager products are based, as well as OpenDS, which is providing Sun's next-generation directory services. Our provider allows Sun employees to sign up for OpenIDs and use them at OpenID consumer Web sites, which in turn redirect the users to the Sun OpenID provider site to be authenticated.

We believe this is the first offering of OpenIDs in a corporate IT environment, and the first to make an explicit commitment to conveying a further assurance to consumer sites, i.e., "This user is indeed a Sun employee." Consumer sites may find this assurance useful in personalizing their sites to different users.

We call this initiative OpenID@Work, and it is a way for Sun to start exploring this new technology — how it's working, where it might be used by Sun and its customers and partners, and how to combine its ease of use with "enterprise-strength" technologies to help make it applicable to a broader spectrum of challenges, particularly in business and IT where many applications have stringent privacy and data protection needs.

Our work with OpenID is just the latest example of Sun's commitment to interoperability across a range of identity protocols and standards wherever customers need this flexibility.

To assist in the process of evaluating whether Sun's many Web sites should accept OpenIDs, we are taking the opportunity to assess security concerns that may currently limit the framework's value in the business and IT arenas. We began with a formal security review earlier this summer, relying on the same team of experts that does security reviews for our customers' deployments. Sun is the first to take this important initial step in exploring additional security for OpenID.

What Does OpenID Mean for You?
OpenID has tremendous potential as a digital identity resource. All AOL users already have OpenIDs available to them, and Mozilla will soon be including OpenID support in Firefox. But before you can determine its value to you, you need to have a complete picture of where OpenID excels, and where it doesn't, in order to make informed decisions about whether it has a place in your private life or your business. As an OpenID provider, Sun is committed to keeping abreast of ongoing developments and advising you about them.

Keep in mind, too, that the OpenID technology framework is still being shaped. Sun is in a position to influence its development — and you're in a position to help us. Give us your thoughts on OpenID, and tell us what you'd like to see in this exciting new framework for digital identity. We're anxious to hear from you. Write us at openid-questions@sun.com