Saturday, August 26, 2006


I've been investigating (and testing) OpenID lately. The cause, by the way, would be helped if's url worked without the www subdomain. Openid is an api that allows a person to claim ownership of a url and through that to claim an identity of sorts. It's not a way to prove that a person controlling a url has a certain name, so it's not an authentication mechanism. What it allows is for identity verification to happen in one place rather than over and over and over again in multiple places. An OpenID url I've gotten is With this I can log in to,, and other OpenID-using sites. The benefits for the user include the need to have a single identity verification location that can be used on multiple sites. A web application developer using openid as a login mechanism doesn't need to worry about account registration, which is rather nice.

The business model for providing and managing OpenID accounts does not seem to be that promising if that's all one is providing. The API is public and client and server libraries are available in a number of programming languages. One would need to use account management as a way to gain credibility for an identity management consulting business or add extra services on top of the base account management. is doing this (or will be once they're out of beta). They seem to want to offer a way for people to point to various urls about the 'net and say "this is mine or about me". They also offer the ability to register other OpenID urls with their site which can be verified by them (the OpenID api allows for this).

In any case, I've installed and gotten running the Ruby version of OpenID. It's available as a gem, which I can't install easily on my non-root-access account. I've thus put all openid libraries under the lib directory of my rails application. This works pretty well. The sample openid_login generator is found and thus can be installed if one puts it in one's ~/.rails/ directory. openid_login.

One gold rush identity management system I'm not crazy about is i-name. i-names can look like "=ian.marsnan" for a personal i-name or "=@myorg*ian.marsman" for a person at an organization. I'm not crazy about this setup because the going rate to register an iname is twenty bucks US. For this, one gets more control over who you give what personal info to. However, OpenID has the ability to create profiles and choose which profile to give to a site that's requesting permission to access one's identity. i-name is an api designed by rather large organizations. OpenID is more grass roots, although Verisign is on the standards committee. Who knows how things will pan out. Both offer the hope of single sign-on. i-name seems more targetted at uses for businesses like corporate identity management and online banking signon authentication. It's a big topic and I'm starting to wander. At the moment all I want is a way to offload user signup management and give people a way to avoid adding my site as another to keep membership track of.