"Undermining my electoral viability since 2001."

Microsoft to Embrace OpenID

Bill Gates sez M$ is gonna back OpenID. This is a good thing. Although you can be sure they'll cock it up on some Windows product, OpenID is simple and well-enough-designed (ala other basic protocols like SMTP, HTTP, DNS, etc) that even if your fancy bells and whistles suck ass, the basic protocol still functions well, and other people will make better products, and progress marches on.

Honestly, I don't think M$ can break OpenID, and I think having them on board may finally break the logjam. Get used to seeing this:


Learn more, if you like. But the jist of this is that you will soon be able to house multiple social internet logins under one roof, meaning you can pick someone you trust and use that login everywhere without compromising your security. For instance, you could use your AIM login info for most other places you need to "identify yourself" online, without compromising your AOL account. It also means it's easier for people like me to cut back on comment-spam. Woo!

Those are immediate benefits. The addition of a true distributed identity layer to the internet has much more revolutionary potential as well, but we'll have to see how things play out for a few more years before any of that happens.


Are they going to hose OpenID like they did web standards?

The Spec for HTML and CSS is ginormous and always in flux. IE could have done a lot better at implementing it, but it's a pretty different thing from OpenID.

The core of OpenID is more comparable to HTTP, DNS or SMTP, the simple protocols that run the web and email.

I fully expect MS to add some bells and whistles to OpenID that are annoying, but it will be hard for them to "break" it. It would also hurt their business to have this be a messy standards fight. My guess is they are looking at OpenID-related services (the high end stuff, like they tried with Passport, and that they can sell into businesses as a next-gen LDAP) as a potential line of revenue. To pursue that they need their credentials to be good anywhere, so they'll follow the basic protocol.

You may already have Kim Cameron in yer rss reader, but since he's the identity guru at Microsoft charged with developing their next generation identity layer to replace Passport, the coverage of the announcement on his blog is interesting. He links to all the OpenID guys and gals.

This post in particular breaks down the details of the announcement and gave me what I was looking for:

"As part of OpenID’s security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials."

And I assume when they say "phishing-resistant credentials" they're suggesting Microsoft's new InfoCards.

You're certainly right on when you say "OpenID is simple and well-enough-designed" because I think this can be just handled through OpenID's Assertion Quality Extension. It's a draft spec, but still...

I also think that there's a meta-solution here, in that the various OpenID provider develop relationships/trust, and (much like email) whitelists and the like will develop also.

The actual drivers for authentication and security will be pluggable and ongoing in their development no doubt. That's in addition to the network of trust that develops.