OpenID appears to be gaining some momentum. It feels like the right approach to identity management – let individuals control their identity in a trusted way, rather than relying on federation through central brokers. Sun Microsystems just rolled out OpenID support for all of their employees. Stephen‘s been talking about this kind of decentralized identity management for years (and most recently just yesterday).
But, it’s been a bit strange in that it hasn’t been very easy to run your own OpenID server. I mean, you could go through myopenid.com to get a free hosted OpenID, but that’s just a federated, centrally hosted identity. No different than a Yahoo! or Google account. The power of OpenID is that you can/should run your own OpenID server, so you control it. It’s not a decentralized, individual identity management system if we still hand control over it to central services. We need to be running our own OpenID servers. Which means it needs to be easy to set up. Ideally one-click easy. It’s not quite there yet, but it’s getting closer.
I’d tried to install an OpenID server yesterday, and failed because DreamHost doesn’t support the big math libraries needed for encryption, and the server I was trying didn’t fall back to “dumb” mode. But, I just installed phpMyID on my DreamHost account, and it worked flawlessly. It took maybe 10 minutes, including RTFMing. Now, I have my own OpenID server, which I control, living at openid.darcynorman.net
Now, what does that get me? Initially, not much. All I’ve been able to do is authenticate on Zooomr.com using my own OpenID server as credentials. That’s pretty cool as a “hello, world!” test. And when OpenID support gets rolled into more services, I’m ready.
DreamHost, if you’re listening, this would be a great opportunity for a One-Click Install package. Rolling out OpenID server support for all of the 46 bajillion DreamHost customers would go a long way toward kickstarting OpenID adoption. I’d say Google should roll it out for GMail account holders, but again that kind of defeats the point of a decentralized identity management system, if we all use a central broker anyway…
Update: Even cleaner, now. I’ve just added the openid.server and openid.delegate elements to the head of my blog, meaning I can just provide the url “http://darcynorman.net” as my identity in any OpenID-enabled software.
Update 2: Yikes! I just went to enable HTTPS and certificate support on the openid.darcynorman.net domain, and it’d cost almost $250CDN per year to do that ($48US per year for static IP, $189US per year for the certificate via GeoTrust). There’s a minor flaw in the whole OpenID system – if the distributed servers aren’t trustworthy and secure, the system kind of falls over. An unsecured OpenID server is a bit of a magnet for packet sniffing usernames and passwords…
Update, 33 1/3: I got nervous about not having a secure OpenID server, so reverted back to using MyOpenID.com. Yes, it’s a centrally hosted distributed identity provider, but it’s secure, and by using my own URL as a delegate I retain control (so if MyOpenID.com turns evil, I’m able to very easily switch to another provider, or run my own).
I also added the handy OpenID WordPress Delegate Plugin to this blog, so it will automatically add my OpenID information without my having to remember to tweak the theme’s header.php file every time I update the theme…
Personally I just use myopenid.com – but I always login with http://patrick.geek…
I have an SSL vhost already, it only costs me $20/year (don’t need to pay for a static IP because I have a whole server to myself) from godaddy.com. Slightly less than $250 CDN.
@Patrick: I’m thinking MyOpenID is the smart way to go for now, given that they provide SSL and encryption for secure transmission of credentials. But, it still feels somehow wrong to use a central broker to manage a distributed identity… btw, I’ve had a MyOpenID site for awhile now, too. I just wanted to go through the motions to see what it would take to set up my own. It works, but it’s not ideal at the moment…
I updated the blog post – I reverted back to MyOpenID because it’s secure. I’m going to be using my own URL, so it’s easy enough to switch providers, or run my own, eventually.
For me it’s like email: I could run my own mail servers*, but it’s easier to let someone else do it – as long as the identifier is under my control. With a Windows Live ID (yucky name that), even though you might sign in using your own (non-hotmail) email address, you never really have control over the identifier.
(* well, ok, so all my email runs through my own before landing in a Joyent Connector, but still)
Now all you need to do is let people sign in to wordpress using OpenID to submit comments. You could of course be super heavy handed like myself & Jesper (http://waffle.wootest.net/) – he’s using wordpress. (He might have used a plugin, I’m not 100% sure.)
I think I should try playing with setting up an OpenID server as well – maybe I could get it to hook in to my SimpleLog install as well (auth against my SimpleLog admin interface maybe…). Sounds like a project I should undertake anyway.
@patrick: just enabled the WordPress OpenID authentication plugin, so you should now be able to use your OpenID for comments.
Excellent. Except now your theme has vanished… oh dear.
@patrick: I’ve disabled PopularityContest. Its value was dubious at best, and the fact that it appears to get in the way of OpenID means it gets kicked to the curb. Any better?
Let’s see… will this work? Maybe it will.
Time for a preemptive Hoorah! and the theme is back!
Informative post. What plugin adds the openid login to the comment field?
Turk, that’s the OpenID Delegation plugin. It can also enable OpenID logins for users of the blog, as well as just for commenters.
http://eran.sandler.co.il/openid-delegate-wordpress-plugin/
Thanks for the info.
Ahh, i’ll have to remember that plugin if I switch back to WordPress again. Thanks
The security of openid has been keeping me busy for a few days now and I, like yourself, am primarily interested in creating a secure openid using my WordPress blog. Your post , the comments and your updates have been very helpful, thanks!
Oops, I had a question as well
You said that you have the WordPress OpenID authentication plugin installed, but I don’t see any way to comment using OpenID. Are you having implementation issues or am I missing something?
Thanks again, Leonard
@Leonard: I was having problems with the OpenID plugin, and had to disable it. I’ll check for an update to see if it plays nicely now. I miss it.
“…cost almost $250CDN per year to do that ($48US per year for static IP, $189US per year…” YIKES!! Are you out of your mind?
If you have your own server, it comes with a few static IP addresses and also openSSL. The realistic “extra” cost? $0
You can get an SSL cert for $20 from GoDaddy (google godaddy ssl code, they have a google ad that will save you $6 straight away), so that’s USD$68/year, or ~$6/month. Then you can put your WordPress admin under the SSL (why log in to your blog admin in clear text?!) and lots of other interesting things!