Note: this blog is a mirror of my HP Labs Blog, on the same topic, accessible at: http://h30507.www3.hp.com/t5/Research-on-Security-and/bg-p/163

Sunday, September 2, 2007

If OpenID is the Answer, What Was the Question?

I’ve recently been asked this question, that I am now turning to the Identity Management Community (I am very keen to hear your replies …).

My current answer is that OpenID provides a simplified, open-source based approach to SSO, for low-cost/low-risk transactions on the web, primarily in consumer/user-driven, B2C environments.

An article titled “The Case for OpenId”, by Phil Becker, makes a more compelling case for OpenId. However it must also be said that:

  • There are not many use-cases justifying the usage of OpenId in other contexts, such as enterprises or B2B contexts (thanks to the people whom suggested a few of them). Still looking for suggestions from the community …
  • Recent blog discussions have highlighted potential OpenID limitations (in terms of trust, privacy and security – e.g. see here, here and here), along with possible ways to mitigate some of them (such as identity phishing, see here) by leveraging CardSpace and/or other approaches
What else to say?

--- NOTE: my original HP blog can be found here ---
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)