More on OpenID
I was just reading an article in Information Week talking more about OpenID and how it has been starting to catch on and is being implemented on mainstream sites, like MySpace. As quickly as they praise it, it rapidly turns around into how many sites enable the use of their OpenID, but they don’t accept ID’s issued by other providers because of “inherent risks”. This sentence got my brain thinking:
“Since no OpenID provider makes public its practices around vetting and protecting identities, there’s effectively no way of assessing liability for faulty initial identification.”
Who is bound by law to verify ID’s stringently? Oh, that’s right. Financial institutions. So why don’t banks and credit unions jump on board and offer OpenID? (I’d love to see a start-up virtual credit union do this.)
One potential issue I see with this is there will still need to be a verificaiton step involved to verify that the OpenID was really issued by a bank or CU. I could go get robbiewrightbank.com, issue “verified” OpenID’s that could be used to log into sites requiring stricter control over the content they are offering on their site. So the question becomes how can you create a secure OpenID that is provided by numerous companies? I think the answer may lay in an uber-secure TLD for banks and credit unions. Literally, have .bank or .creditunion or the like. The registrar for the TLD would verify that the FI buying the domain is legit, using government verified documents like call reports. This concept has been kicked around before but many it just doesn’t have any legs.
So what do you think? Is there a need for a secure TLD for only financial institutions? Do banks or CU’s really need to offer an OpenID service?
While I think that providing OpenIDs is a good opportunity for FIs [1] (if they don’t wait to long), they are the only ones that have an opportunity to do so. As a result, I don’t think that the solution to the problem you are mentioning will be via secure bank-specific TLD.
The simplest first step is for Web sites supporting OpenID to maintain a list of OpenID providers they trust, possibly with varying degree of trust.
Note that it’s not because I know for sure that you are a CU or a bank that I will trust you as an OpenID provider. I will trust you because you will provide me with information about your security that I feel the OpenIDs you issues can be trusted. Part of this can be addressed with OpenID policy extensions [2], but more likely this trust between OpenID consumers and providers will be the result of a contractual agreements involving disclosure of security procedures an related insurance arrangements.
The problem of trust lies with the consumer: (1) will a consumer feel safer login to their CU/Bank ID with their Google ID, or (2) will they feel safer login to Google via their CU/Bank ID. My guess is (2).
[1] http://lebleu.org/blog/2008/05/21/should-banks-bank-on-openid/
[2] http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html
I meant “they are NOT the only ones that have an opportunity to do so” in my previous comment.
Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.