A new year and already a new service: StartSSL™ is going to be an OpenID provider for digital identities! This is great news for various reasons…
Last summer (2007) I asked at this web log if there is going to be a more secure future for OpenID. In that post I explained where the dangers are and why StartCom doesn’t support it. There were others which took it much further and here is for example a practical beginner’s guide to OpenID phishing. Outshhh! At least I mentioned two additional policy extensions which gave me some hope for a better future of the OpenID framework and standard.
But I wasn’t alone. Stefan Brands wrote extensively in this article, about the major problems of OpenID. Starting with security and privacy, he also raises the issue of trust, claiming that OpenID is yet another identity-transport-system lacking trust. Quite right. And this might be problematic for the relying parties, i.e. the web sites trusting OpenID identifiers.
So what has changed? First of all, the second version of the OpenID Authentication 2.0 standard was approved. Many aspects have improved since the 1.1 version, even so in my opinion some declarations aren’t going far enough, for example requirement of SSL/TLS. Neither is a federation or other supervising body in the making. But the OpenID foundation solved some legal stuff such as patents and trademark issues which in these days isn’t less important.
Software libraries have improved and updated to the latest 2.0 standard. Extensions such as the OpenID Provider Authentication Policy Extension have been implemented as well. I mentioned better library support to be of importance and it seems that indeed things have been improved.
But that’s not all of the story. An important aspect of StartSSL™ being an Identity Provider is StartSSL™ itself. Because subscriber accounts are secured by client-side SSL certificates for authentication in addition to forced SSL/TLS encryption for any data exchange, StartSSL™ provides the highest industry standard based on public-key encryption. Subscribers which validate their identities according to the Class 2 validations can even be trusted to some reasonable extend. I believe that under these conditions OpenID is going to be useful for all sides involved.
Now, every subscriber at StartSSL™ receives automatically a default OpenID identifier and an easy way to change the default nick name. It’s very easy to use and I must admit that since I started using my own identifier, registering and logging in at forums and blogs hasn’t been so easy and fun for a long time. Check it out for yourself, get an account and client certificate free of charge. To sign up just click on the “Control Panel“.