OpenID as a public authentication mechanism
Contents
A lot of people use OpenID as a universal login to multiple sites. In fact it's what it officially aims.
OpenID is a safe, faster, and easier way to log in to web sites.
OpenID official site
Too boring to be the best use for such a cool system. However, many people see this as its primary usage. (For example, Bill The Lizard, Stack Overflow moderator, expressed it in his edited--with abuse of moderators' powers, of course ;-)--comment here).
If the system is used as a universal login, then revealing your OpenID is not secure, since compromising it leads to very unfortunate consequences: you may lose control over a lot of services at once. So the OpenID should stay private and do its job to verify your identity amongst the other records in a database of a particular service.
Authentication via OpenID
According to Wikipedia, "authentication" is "confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one".
In more simple words, it's an act of verifying that it was you. That it was not George W. Bush, not any other guy, but only you who logged in to a particular site, and left a particular content there.
In fact, "login" is also an authentication. But it's key feature is that it's private, while sometime you might want to publicly announce yourself as an author of the content (comment, post, etc).
And this "public authentication" is quite natural with OpenID. You log in to the site that supports it; the site makes a promise to display the very same id you logged in with near your real name. Given that this promise is kept, all the content you leave is signed with your OpenID.
Note that such a mechanism is not possible with just using OpenID as a "universal login". When using it as a universal login, the OpenID stays private and is not revealed to public. But then it can't be used for verification of the user profile you have on such a site. Within this scheme you can try to "sign" your content by one of the following:
- Add OpenID to a freetext field in your profile. Usually a profile on a social site (forum, social network etc) contains some fields (named like "userinfo") where you can put anything you want. So you could put your OpenID there to authenticate yourself. But that is not reliable, since anyone can put a link to your OpenID to his or her profile, and one can't determine if any of these profiles is true.
- Put a link to your profile to an OpenID page. Usually OpenID providers make a promise to display a certain page if someone uses your OpenID as a web address. These pages usually also have a freetext field, into which you can enter links to the profiles on the other sites that you own. But then anyone could put a link to your profile, and it's not possible to determine who is actually correct.
- Do both of the above. But then your login is compromised anyway.
- Do both of the above, but secretly use another OpenID to log in. But then you don't need the original OpenID at all!
The shortcoming of "add to userinfo" approach described above is that you have to list all the places, where you left something, on your OpenID page. All comments to blogs, all profiles you own--maintaining such a list is tiresome. However, if all engines, which support OpenID, revealed them, then doing this just wouldn't be necessary.
So, having analyzed the above ways to refrain from publishing your true OpenID, I thought that OpenID should become more than just a mean for identification. It could be also used for authorization, and just displaying it would suffice.
OpenID and coldattic.info
This is how I use OpenID in my blog. When you comment, the engine displays the OpenID (I have made a proper warning in the description of this blog, but I think I should make it more visible). And if you trust my engine, you can trust that all the comments left here are made by the very same persons that own the OpenIDs.
Of course, the promise is not backed with anything, and I can display random OpenIDs in the comments to my blog. But I'm no villain. And anyway you have to trust your OpenID provider--so why can't you trust a blog either? :-)
Comments imported from the old website
I actually don't see any big difference between "username" or "password". If we approach the issue from the point of what should be secret, there's really no difference: well, assume your username is secrent, and password is not; what would change then? But keeping username secret is treated as "obscurity", and keeping password secret—is not; why?
There's no answer. Because that's the definition. By definition, an open part of your authenticity token is "username", which is kept open, and the secret part is "password". And actually, sometimes "password" is referred to as "secret".
This also proves that, by definition, others should know your username, or OpenID.
I mostly agree with you, but I don't think that keeping your OpenID (which is basically a username when used for authentication) secret is beneficial to security. I don't even think it's possible. Relying on a secret username sounds like "Security by Obscurity" to me - I prefer to rely on a strong password.