The Observer, March 23, 2007
Volume XXXIX, Issue 21
Case launches beneficial OpenID service on campus
Count the number of accounts you have spread across the Internet. You might have a blog, a Wikipedia account, a photo gallery, and a Facebook profile. Now count the number of competing services that you don't use but maybe your friends do; for example, your LiveJournal account won't be accepted to comment on your friend's Xanga blog.
In recent years, Case has provided a Case-centric solution to this problem by instituting the Central Authentication Service (CAS) to allow anyone with a CaseID to authenticate with most Case-provided services; removing the need to create different accounts for each Case service, like Blackboard or Filer. The Middleware Services Engineering group – the same people that brought you CAS and manage all services related to authentication, authorization, and access control – recently upped the ante by providing everyone with a CaseID their own OpenID, a decentralized authentication system that hopes to solve the problems that arise from having a billion different Internet accounts.
Jeremy Smith, an employee at Middleware Services Engineering, created Case's experimental OpenID server as a proof of concept to be shown to Technical Infrastructure Director Jeffrey Gumpf. Smith has integrated many different decentralized authentication systems with CAS that were never publicly announced. According to Smith, "OpenID is a different beast, though, in that there are already a lot of different client end-points using it (or will use it in the near future). So, Jeff OKed me blogging about it, to see what use it would start getting out in the wild." "Let's hypothetically say Facebook did OpenID logins for users with OpenID providers that end in a '.edu' domain, people would be able to use their Case credentials to log on to Facebook," Smith said. OpenID has the potential to provide this type of convenience to every CaseID holder.
Logging onto an OpenID enabled service, like LiveJournal (livejournal.com) or WikiTravel (wikitravel.org), requires a username and password like any other authentication. Your username is a URL pointing to your OpenID identity page; CaseID owners can use http://first.last.id.case.edu or http://caseid.id.case.edu. You are then redirected to your OpenID provider who asks you for your password. Case's implementation does this by asking for your CaseID and password using CAS. Once you authenticate with the OpenID provider they will then let the original service know that you are who you say you are, completing the authentication.
At the moment there is a surplus of OpenID providers but not enough services currently accept an OpenID. The original developer, Brad Fitzpatrick, is also the creator of LiveJournal, so it goes without saying that LiveJournal's use of OpenID is extensive. Not only can anyone with an OpenID comment on a LiveJournal but every LiveJournal user can use their URL as an OpenID. Other services have announced OpenID support or begun development toward it. A number of providers exist including MyOpenID (myopenid.com), Videntity (videntity.org), and GetOpenID (getopenid.com). All 63 million AOL users were recently given their own OpenIDs. And now every CaseID holder has their own OpenID. Most of these users will never use it and many more will never know they have one.
There are limitations to and problems with OpenID. In its simplest form, it is not meant to be used to create any trust in the authenticated user. One could create, using any of the previously mentioned providers, an OpenID for George Bush and begin commenting on blogs and editing wiki articles assuming the identity of the president himself. Because OpenID is decentralized, a service must trust the provider; this means it may be a long time OpenID is used in security-sensitive services that work with money. OpenID's "simplicity has the unfortunate side effect that as OpenID becomes more prevalent, the spammers will begin to game it. So additional layers will then start being applied to do things like 'trust'."
Having one account to rule them all is not always a desirable situation. There might be some accounts that are important enough that they deserve to be separated from the global style of OpenID. For example, consider creating an account on a forum where you wish to remain anonymous in the sense that this account is in no way related to another service you utilize. Using an OpenID for that forum creates a common link that could be traced to any other OpenID-enabled service that you use. More importantly, using a single method of authentication creates a single point of failure. If anyone were to gain access to another's OpenID password, they could use any service that accepts OpenID as that individual, essentially stealing their identity.
Decentralized authentication systems aren't a new or novel idea but many, including Smith, feel that OpenID has a better chance at succeeding where others have failed. It has gained support in the corporate world – Bill Gates at a security conference in early February announced that Microsoft will support OpenID – and now the academic world is following; as far as Smith knows, Case is the first university to provide an OpenID server. It's impossible to know where OpenID will go from here. According to Smith, "time will tell."
