June 22, 2008

How trustworthy can OpenID be if the developers of it like SixApart themselves don't trust it?

For years I have been a fan of OpenID. I like the concept of a single digital identity to be used across the Internet, and I think the people behind the project has some great ideas.

At the same time, I have felt it wasn't ready for prime time. Back in 2006 I blogged that I thought it would be a great geek thing, but that until more web applications supported trusting the OpenID provider I wanted to use, it was doomed to never "cross the chasm". I was pointing out that I have many web applications, such as the various blogs I author that are driven by Six Apart's MovableType that simply need to use the provider of my choosing, since our trust model is controlled by corporate security policy enforced by our IT team.

Access to write posts on our company blog(s) should be driven by the identity controls at our office. If the staff member has his or her access revoked in the office, it should immediately impact all tools and technology in the business... including the company blog(s). I don't want another identity silo where when a staff member leaves I have to go log ino Movable Type and restrict, revoke or remove their access. Six Apart made some strides to support this by providing LDAP integration into their higher end product. Great news if the blog is on a server connected to your Directory infrastructure. Not so good if its across the Internet on an Internet facing system in an isolated DMZ like ours.

Even back then, SixApart Vice President Anil Dash commented on my blog post that Movable Type supported being both a provider and a consumer, which surprised me since I could only see that functionality when people wanted to leave comments. I followed up with Six Apart and they said authors couldn't use an OpenID to login before writing posts yet, but that it WAS coming. I really wish I would have saved that email so I could have quoted it here.

I was ok with that answer at the time. After all, Six Apart helped design and develop OpenID and they even have David Recordon (Open Platforms Tech Lead for Six Apart) sitting on the OpenID Foundation Community Board. I would expect that it would indeed be coming in the next major release.

Fast forward to the beginning of this year. I wrote another blog post about how frustrated I was getting that everyone was trying to be OpenID providers, but that very few were willing to consume providers I choose to trust. That post was written partially because at that time, common web applications that I use (including Movable Type) STILL don't support this.

Six months later, very little has changed. Six Apart has had another major release with MT4, and in querying if it now supports author login with my provider of choice (aka our company OpenID server) an email response from Six Apart's support simply says:


OpenID is supported only for the purposes of authenticating commenters; it is not supported as a login for Movable Type authors/users.

<name withheld>
Movable Type Publishing Platform
Six Apart, Ltd.

How trustworthy can OpenID be if Six Apart themselves don't trust it enough to allow authors to log in to manage their own blogs? I think this is a critical point that people aren't considering. The people that helped build the technology don't dogfood it themselves for their own commercial web applications.

Why not? I would love to know the answer to that. Wouldn't you?

Posted by SilverStr at June 22, 2008 01:57 PM | TrackBack

It's great to hear that you want to be able to login to Movable Type using OpenID as an author; I want it as well for my own install of MT. We certainly agree that it is a needed feature that is still planned for a future release of Movable Type though it's software -- we definitely haven't done all the features we want to yet, but we're working on it! That said, we have been doing a bunch of work recently with OpenID.

Movable Type 4.2 (you can download a release candidate from http://www.movabletype.org/beta/42/) adds support for OpenID 2.0 when commenting. By default Movable Type will ship with all of the needed libraries and functionality to act as an OpenID 2.0 Provider and Relying Party when commenting. We're also shipping the libraries needed for OAuth so that as of Movable Type 4.2 plugin authors can rely on being able to take advantage of it in features that they build. Beyond that there's a bunch of great work going on with OpenID within TypePad which you'll see later this year.

Not allowing authors to login to Movable Type or TypePad using OpenID has nothing to do with our not trusting OpenID as a technology. Quite the opposite in fact, we want to make sure we can build great support for OpenID in a way that we can help bring OpenID more mainstream. It isn't a small feat to do it right and laying the groundwork by supporting OpenID 2.0 in Movable Type 4.2 helps get us a step closer.

Posted by: David Recordon at June 23, 2008 09:21 AM

Both Google and Yahoo IDs are now OpenIDs. I'm not tech-savvy, so this is probably a dumb question: But if you had to ban an OpenID, would it also mess up using that ID on those two large providers?

I've had Akismet, for example, mark me as Spam and I've been battling for weeks to get that corrected. I couldn't believe how many places it affected.

Posted by: Mike Cane at June 23, 2008 11:17 AM

Hey David,

Thanks for the response. It's nice to see you supporting OpenID 2.0 for comments. Will be nicer when you support it for the author login. :)

I understand you want to make it more mainstream by allowing it in comments. I just wish you guys would consume it in your own web app for authors so we can get the extra benefits OpenID offers with centralized authenitcation over the Internet. LDAP is simply not a safe way to do it over the Internet as you have it now.

Posted by: Dana Epp at June 23, 2008 11:47 AM

Hey Mike,

This is one of the reasons I want to use our own provider for login. We can control how to ban that. It would be in our interest to associate an account TO an OpenID in which we have control. In our case, we have our own OpenID provider that uses our company's two-factor authentication system to provide identity assurance when logging in with one-time passwords (OTP) from keyfob tokens. When an employee leaves our organization, we simply disable the token which affects all their Windows logons, email, VPN etc. However, we have to take an extra step to then log into MovableType to disable their account there. If they were forced to use an OpenID we trust, then when we revoked the token, they no longer could use us as a provider.

Now here is where it gets interesting. We don't force our employees to use our provider directly. We recommend they use their OWN url that they control (like their personal blogs) and use OpenID's delegation feature to provide the authentication to our provider. If they leave the company, they can then reset the delegation URL to another provider like Google or myOpenID.

This way, their identity remains in control by them. However our company has the ability to decide which provider(s) we will trust. In our case, we would only want staff accessing company systems once identified with their hardware token.

Posted by: Dana Epp at June 23, 2008 11:59 AM