The few I couldn’t answer were mainly regarding the specifics of the OpenID authentication process.  Perhaps it was nerves, but in hindsight I realise I knew the answer all along.  I was asked if OpenID could tie into Kerberos or PAM.  This is really down to how one chooses to implement the standard.

The OpenID specifications state that at at some point authentication must be performed with the Identity Provider.  However, the details of how this authentication must be performed are purposefully not specified and instead left up to the implementor.  So in answer to the questions, yes you can use Kerberos or PAM in the authentication process, but it’s up to  you to tie it all together.  In fact, traditional username/password combinations need not be used.  If one so chooses secure fobs or biometrics could indeed be used; it’s up to you!

This process is called delegation. You use your own domain name as your OpenID, but add some extra markup to the head element of your homepage that tells the relying party that you are delegating the responsibility of authentication to another server. The markup you need is:

This will tell the relying party, that it should instead visit username.myopenid.com. You will then authenticate to this delegate server. Once successful, by implication of having authenticated to the delegate server, you have also proved that you own the domain from which you were directed.

The link tags are used for OpenID 1.x server discovery, and the meta tag for OpenID 2.x server discover. In order to be as compatible with OpenID consumers as possible, you should use both link and meta elements.

If you already have a Microsoft Passport, you are unlikely to want to create a Yahoo! account to use their services as this would involve going through a sign up process, replicating friends lists and so on from one provider to the other etc. Besides, I don’t know about anyone else but I don’t like the idea of some large company controlling my identity: storing my username; hashed password and other details. It would be better if I could arbitrarily choose who controlled my identity, or even better, control it myself. This is where OpenID comes in.

Initially created as part of LiveJournal, OpenID is a decentralised user-centric identity management framework. What this jargon essentially means is that you decide who controls your identity – and there are many places that offer this service. You can even do it yourself. An OpenID has to be unique, so the ID would usually be a domain you control, or some other ID provider that would offer an ID like http://username.serviceprovider.com.

A traditional web application sign up process would involve completing a form where you select a username; select a password and re-enter it; enter your email address and often verify using email or a CAPTCHA. You could instead specify your OpenID and forget about selecting a username and password. The authentication would be delegated to another server, thus decoupling the authentication and identity ownership from any specific site.

When you use OpenID

• you tell a site your OpenID (e.g. http://maxmanders.co.uk)
• site parses document referenced by OpenID for specific link elements
• site redirects user to their provider based upon URL found in link elements
• user authenticates to provider
• provider redirects user back to site with evidence that they have been authenticated

This is quite a high level overview. There are a number of redirects and parameters passed between pages, and also some cryptography in the form of a shared secret involved. This cryptography is required so that the original site (relying site) can be sure that the user who is redirected back has indeed come from and been authenticated by a provider, and not somehow spoofed the request.

What all this means is that you only need to remember your OpenID and the password you chose for a particular provider. It should be noted that OpenID is in some sense a replacement for the usual username/password combination. It doesn’t inherently offer any more trust than a traditional username/password. Just as a username/password can be cracked, so too can an OpenID. The ht difference is that you control the identity, so you can switch providers at any time. If you feel like your provider is untrustworthy, then use another one or host your own. This change of provider won’t effect how you use your OpenID.

There has also been recent news that both Digg, AOL and possibly even Microsoft intend to use OpenID in current and future products to varying degrees. We have Digg, the massively popular user contributed bookmarking site which is bound to have a shed load of users; AOL which must have upward of 60 million users and Microsoft (need I say more). With a potential userbase of this size, OpenID may well be the way forward! It’s nice to see cool technologies like this snowballing from the humble geek to the massive multinational company; similar to the way Microformats have emerged. Further information on OpenID can be found on Wikipedia, the OpenID official website and Simon Willison’s blog.