Principles of OpenID

OpenID: A Digital Identity StandardOpenID was created by Brad Fitzpatrick, the founder and technical whiz behind LiveJournal, one of the more popular blogging sites. Through his experiences building and operating a world-class blogging engine, he became painfully aware that the necessity for users to create separate login accounts for every web site they frequented was a severe impediment for users. He created OpenID in an effort to provide a single sign-on system that could be shared across otherwise unrelated web sites.

Since its original inception, an active community of technology companies, user companies and open-source developers has formed around the OpenID specification. Participants of this community actively critique the OpenID specification, propose enhancements and help guide OpenID's evolution.

As the OpenID specification has evolved, a set of basic principles has been established:

  • OpenID should provide a single sign-on that can be used with multiple web sites.
  • OpenID should support de-centralized identity verification.
    • Nobody owns OpenID.
    • Nobody controls OpenID.
    • No single point of failure.
  • OpenID should be a simple and light-weight sign-on service.
  • OpenID should be easy to use and deploy.
  • OpenID should be free.
  • OpenID should be an open standard that changes based on community needs.

These principles are important, because they have a major impact on the directions in which the OpenID community works to evolve and improve OpenID.

The first, and most obvious, principle simply expresses the basic intent of OpenID, which is to provide a single sign-on system that can be used across multiple web sites. The basic concept for OpenID is that users can possess one or more identities, which function for people in much the same way that domain names function for web sites. Think of an OpenID identity as a personal URL. Some examples of OpenID identities are:

The next principle is that verification of OpenID operates in a de-centralized manner. Again, in much the same way that domain names are supported. The OpenID community believes (and so do I) that the public will not accept a cross-site identity scheme owned and controlled by any single company.

This is why other technologies, notably Microsoft Passport (which has also been marketed under several other names), have never been able to gain widespread acceptance. De-centralization of identity verification also provides another benefit – it ensures that there is no single point of failure for OpenID identities.

The OpenID community believes very strongly that the user should control their online identity, and that includes the choice of what company or web site will provide verification for their identity. With an identifier like "," the identity is "joeschmo" and "" is an OpenID Provider, i.e. — a web site that provides the service of verifying that identity for other web sites.

Another principle is that OpenID provides a light-weight authentication service. Essentially, OpenID verification allows a user to claim, and then prove, that they own a particular identity. It does not natively support stronger claims, such as:

  • Identity "joeschmo" really belongs to an individual named "Joe Schmo."
  • Identity "joeschmo" belongs to a person aged 21 years or older.
  • Identity "joeschmo" belongs to a person with a good credit rating.
  • Identity "joeschmo" belongs to a male.

There may eventually be other services built on top of OpenID that support these stronger assertions about an individual. But all OpenID does is verify that an individual does, in fact, own their identity, i.e. — their own personal URL.

The other principles have to do with ensuring that OpenID becomes available to as many people as possible. To support this, OpenID should be free, easy to use and easy to deploy. In fact, OpenID is already supported in numerous development languages, including .NET, Perl, Ruby, Java and many others.

Finally, the evolution of OpenID is regulated in an open manner by the OpenID community. There is no single company that directly controls the fate of the OpenID standard. There is an active, extremely vocal and widespread community that is intent on both enhancing the OpenID standard and ensuring that its evolution continues to adhere to the basic principles that have been established.


No comments yet. Be the first.

Leave a Comment

Comments are moderated and will not appear on the site until reviewed.

(not displayed)