June 22, 2008
How trustworthy can OpenID be if the developers of it like SixApart themselves don't trust it?
For years I have been a fan of OpenID. I like the concept of a single digital identity to be used across the Internet, and I think the people behind the project has some great ideas.
At the same time, I have felt it wasn't ready for prime time. Back in 2006 I blogged that I thought it would be a great geek thing, but that until more web applications supported trusting the OpenID provider I wanted to use, it was doomed to never "cross the chasm". I was pointing out that I have many web applications, such as the various blogs I author that are driven by Six Apart's MovableType that simply need to use the provider of my choosing, since our trust model is controlled by corporate security policy enforced by our IT team.
Access to write posts on our company blog(s) should be driven by the identity controls at our office. If the staff member has his or her access revoked in the office, it should immediately impact all tools and technology in the business... including the company blog(s). I don't want another identity silo where when a staff member leaves I have to go log ino Movable Type and restrict, revoke or remove their access. Six Apart made some strides to support this by providing LDAP integration into their higher end product. Great news if the blog is on a server connected to your Directory infrastructure. Not so good if its across the Internet on an Internet facing system in an isolated DMZ like ours.
Even back then, SixApart Vice President Anil Dash commented on my blog post that Movable Type supported being both a provider and a consumer, which surprised me since I could only see that functionality when people wanted to leave comments. I followed up with Six Apart and they said authors couldn't use an OpenID to login before writing posts yet, but that it WAS coming. I really wish I would have saved that email so I could have quoted it here.
I was ok with that answer at the time. After all, Six Apart helped design and develop OpenID and they even have David Recordon (Open Platforms Tech Lead for Six Apart) sitting on the OpenID Foundation Community Board. I would expect that it would indeed be coming in the next major release.
Fast forward to the beginning of this year. I wrote another blog post about how frustrated I was getting that everyone was trying to be OpenID providers, but that very few were willing to consume providers I choose to trust. That post was written partially because at that time, common web applications that I use (including Movable Type) STILL don't support this.
Six months later, very little has changed. Six Apart has had another major release with MT4, and in querying if it now supports author login with my provider of choice (aka our company OpenID server) an email response from Six Apart's support simply says:
How trustworthy can OpenID be if Six Apart themselves don't trust it enough to allow authors to log in to manage their own blogs? I think this is a critical point that people aren't considering. The people that helped build the technology don't dogfood it themselves for their own commercial web applications.
Why not? I would love to know the answer to that. Wouldn't you?