# OpenID Server

OpenID appears to be gaining some momentum. It feels like the right approach to identity management - let individuals control their identity in a trusted way, rather than relying on federation through central brokers. Sun Microsystems just rolled out OpenID support for all of their employees. Stephen's been talking about this kind of decentralized identity management for years (and most recently just yesterday).

But, it's been a bit strange in that it hasn't been very easy to run your own OpenID server. I mean, you could go through myopenid.com to get a free hosted OpenID, but that's just a federated, centrally hosted identity. No different than a Yahoo! or Google account. The power of OpenID is that you can/should run your own OpenID server, so you control it. It's not a decentralized, individual identity management system if we still hand control over it to central services. We need to be running our own OpenID servers. Which means it needs to be easy to set up. Ideally one-click easy. It's not quite there yet, but it's getting closer.

I'd tried to install an OpenID server yesterday, and failed because DreamHost doesn't support the big math libraries needed for encryption, and the server I was trying didn't fall back to "dumb" mode. But, I just installed phpMyID on my DreamHost account, and it worked flawlessly. It took maybe 10 minutes, including RTFMing. Now, I have my own OpenID server, which I control, living at openid.darcynorman.net

Now, what does that get me? Initially, not much. All I've been able to do is authenticate on Zooomr.com using my own OpenID server as credentials. That's pretty cool as a "hello, world!" test. And when OpenID support gets rolled into more services, I'm ready.

DreamHost, if you're listening, this would be a great opportunity for a One-Click Install package. Rolling out OpenID server support for all of the 46 bajillion DreamHost customers would go a long way toward kickstarting OpenID adoption. I'd say Google should roll it out for GMail account holders, but again that kind of defeats the point of a decentralized identity management system, if we all use a central broker anyway...

Update: Even cleaner, now. I've just added the openid.server and openid.delegate elements to the head of my blog, meaning I can just provide the url "http://darcynorman.net" as my identity in any OpenID-enabled software.

Update 2: Yikes! I just went to enable HTTPS and certificate support on the openid.darcynorman.net domain, and it'd cost almost $250CDN per year to do that ($48US per year for static IP, \$189US per year for the certificate via GeoTrust). There's a minor flaw in the whole OpenID system - if the distributed servers aren't trustworthy and secure, the system kind of falls over. An unsecured OpenID server is a bit of a magnet for packet sniffing usernames and passwords...

Update, 33 1/3: I got nervous about not having a secure OpenID server, so reverted back to using MyOpenID.com. Yes, it's a centrally hosted distributed identity provider, but it's secure, and by using my own URL as a delegate I retain control (so if MyOpenID.com turns evil, I'm able to very easily switch to another provider, or run my own).

I also added the handy OpenID WordPress Delegate Plugin to this blog, so it will automatically add my OpenID information without my having to remember to tweak the theme's header.php file every time I update the theme...

#### See Also

comments powered by Disqus