Manage your online identity.

Yesterday, the announcement that Sun would offer “trusted” OpenID’s to its employee network has created a bit of buzz around the identity blogosphere. To break it down a little, two particularly interesting points emerged. First was simply the idea that Sun would support and offer OpenID’s was noteworthy – they stand with Microsoft and AOL as large vendors embracing OpenID in one way or another. Second was the assertion of a trusted OpenID space. As Tim Bray wrote:

What’s more interesting is that we’re rolling out an OpenID provider, but with a twist: You can’t get an OpenID there unless you’re a Sun employee, and if someone offers an OpenID whose URI is there, and it authenticates, you can be really sure that they’re a Sun employee. It doesn’t tell you their name or address or anything else; that’s up to the individual to provide (or not).

…

The applications are obvious; if anyone wants to offer deals or special treatment online to Sun employees, well, that’s easy now. (I know of at least one company named after a fruit whose online store offers a nice Sun employee discount based on knowing a “secret” URL; this would have to be a much better alternative).

Phil Windley asks the right questions:

Still, I like that Sun’s taking OpenID seriously. Ignore the employee status as URL issue and just concentrate on the asserted strength of the authentication process, if you like. Even so, there are still some flies in the ointment.

• First, how do we know this is true, except that Tim says it?
• More importantly, how does a machine know it’s true?
• How do we avoid huge whitelists of machines who’s OpenIDs we trust (or blacklists of machines we don’t)?

While a number of individuals took umbrage at some of the language and assumptions Bray made in his post, JanRain CTO Michael Graves ultimately sees it as a positive event.

At any rate, it’s worth noting here that Sun’s announcement is proof positive that solutions to big problems often start out small (see Tim’s closing line of his post). Sun’s deployment of openid.sun.com isn’t a silver bullet for the problems of internet identity — not by a long shot — but this is a practical, simple step forward that, embraced widely by other organizations, will effect long-sought improvements in trust and trust and identity as building blocks for network applications.

I see this as a positive as well. When major vendors start adopting and running open-source, public domain projects like OpenID, there’s generally a halo effect. Of course, the politics of the project get more complex, but that’s to be expected. Ultimately, the challenges of enforcing and trusting domains seems a lot like some of the exceptions people raise to the MicroID standard, but with good policies, I believe its a solid direction. Certainly, one can imaging higher-ed institutions implementing something like what Sun has done, which is something I’d love to see.

This entry was posted on Wednesday, May 9th, 2007 at 4:30 pm and is filed under Dispatches from a beta, OpenID.