This interview was recorded at the Future of Web Apps conference in London, February 2007.
Watch the video!
Simon Willison talks to journalist Bobbie Johnson for Vitamin
Read the transcript!
VITAMIN: Can you just run through exactly what OpenID is?
Simon Willison: OpenID is a decentralised system for single sign-on. So it lets you have one user account that you can use to log into lots of different sites. The thing that makes OpenID special compared to, say, Passport or Typekey or other things that have gone before, is that with OpenID you get to decide where your identity is hosted. You can host it with SixApart, or you can host it with AOL or you can host it yourself. The standard, the technology keeps on working no matter where youve put it, so you can even switch providers and say actually I used to be hosted with Six Apart and now I want to host it on my own – you can do that and your login keeps working.
VITAMIN: So what is the fundamental problem that it solves?
SW: Everyone has too many user accounts. Ive got dozens and dozens of user accounts of sites that I use – some I use on a daily basis, some on a monthly basis. Managing all of those usernames and passwords is just incredibly difficult. Everyone knows that you should use a different password for every service, because otherwise one service gets cracked and you lose everything but of course nobody does that, because managing two or three passwords is enough work for most people.
VITAMIN: So I create an OpenID and associate it with other identities I have around the place, and the sign-on procedure becomes basically non-existent?
SW: Exactly. In fact, if you’ve got an AOL messenger account already then you have an OpenID it will be openid.aol.com/ and then your screenname. But the idea is that you find applications that support OpenID (this is currently quite a small list but its growing all the time), and you can then sign into those with your OpenID, potentially merge that with an existing user account or create a brand new user account and just continue using the application without any further hassle.
VITAMIN: Support is growing quickly. How is the take-up growing?
SW: The problem OpenID has is that there are two sides to OpenID there are OpenID servers, the places that will give you an OpenID, and there are consumers, the sites you can actually log in to. And of course everyone wants to be a provider, because it feels great to have lots of user accounts and loads of people have big user account databases that they can open up. But people are much more cautious about being a consumer because its a lot less well understood what that actually implies. So its all about the benefits of being a consumer and the sorts of things you can start to do once you let people log in to your site with an OpenID.
VITAMIN: Can you give us some examples?
SW: The obvious one is that you get linked to from digg or Techcrunch and people click through to your brand new Web 2.0 service; then it asks them to create an account and half of them just walk off because they dont want to create another throwaway account just to try out your service. If you support OpenID you can instantly get a much larger signup rate because youve got a whole bunch of early adopters especially if digg is supporting OpenID, anyone who comes from digg has got an OpenID there already so you get lots more people trying out your service.
So thats the really simple case, but looking further ahead whats really exciting is the stuff you can do to innovate around OpenID. So you might find that if you let people log into your service with OpenID and theyre logged into other services as well youve got a bridge between those two services. You can say well, youre logged into this bookmark service but because you used your OpenID for your photo service as well we can start combining your photographs and your links, we can start doing clever things like that.
VITAMIN: Would people be able to bring their different social networking identities together as well?
SW: OpenID actually does very little, it just solves the authentication problem. But its designed as a small component of a larger ecosystem, so you could build friend import and friend export on top of OpenID. You log into a site with your LiveJournal ID and the site then goes to LiveJournal and says hey, who does this person have down as their friends?. And if those people are present in that sites system then it can set up friend relationships there. So theres potential for people to start building social networks that exist outside of the silos of individual sites, sort of decentralised social networks. First people need to start using OpenID and then they can start building on top of it.
VITAMIN: So is this something which is finished and ready to go, or is it still in development?
SW: OpenID works today, and actually the current version of the spec thats being implemented is OpenID 1.1. Theres talk of developing OpenID 2, which covers a larger amount of ground and is under active development on the mailing list – but for all intents and purposes its ready for people to start using it, its ready to roll out.
VITAMIN: And youve now got some pretty big backers like AOL have you heard any feedback?
SW: Thats an interesting question. Obviously the big names that are getting involved are AOL who have actually launched, theyve made 68 million AOL user accounts available as OpenIDs which is huge and Microsoft, who had Bill Gates make a big announcement at the RSA conference saying that Microsoft planned to integrate their CardSpace client-based identity solution with OpenID. I think thats something thats looking ahead to OpenID 2, but AOLs commitment is right now theyve already started supporting it.
VITAMIN: But youve talked before about the problems and gaps that are still in OpenID. Can you explain some more about those?
SW: The biggest problem OpenID has is just in terms of explaining itself. Thats not inherent to the spec, its something thats difficult to explain to people – but people are already starting to make the effort to do that. So the problem that everyone talks about and the one thats a really legitimate concern is phishing. With OpenID because youre going to an untrusted site and trying to log in, it redirects you to your identity provider. But of course it could also redirect you to an impersonation of your identity provider, and if you werent paying attention you could have your account stolen. So the OpenID communitys been looking at a whole bunch of solutions to that, and this is where Microsoft and CardSpace come in to try and come up with a solution to phishing. In the end, my opinion is that phishing will become a competitive area between different providers, so when youre picking your provider you might look at what measures they have in place to help protect you from phishing attacks and use that to help influence your decision.
VITAMIN: So although OpenID has a weakness in it, you think its the job of other providers to come up with a real solution?
SW: I think its something that OpenID providers have to start tackling, but of course phishing is a problem that everyone on the web has, and its incredibly difficult to take on. They do academic studies against phishing protection and find that 90 per cent of people dont even notice that the phishing protection is there. So its really a problem for the whole industry and OpenID is actually benefiting from the amount of effort people are putting into solving this.
VITAMIN: So how easy is it for developers or service providers to implement it? Why would they?
SW: So the reason you want to do it is that you want more users, more people trying your stuff and you want to make life better for the people who are using your service you want to make it easier for them to manage their account with you. From the point of view of implementing stuff, there are libraries available to do all of the tough encryption side of things for PHP, for Python, for Ruby, for Java and for ASP.net as well – so any web environment that youre working with has probably got libraries, relatively mature libraries, for integrating OpenID functionality already. Its just a case finding the library, reading the documentation and glueing it into your existing accounts system.