2009-08-01

Directed Identity

I read Glyn Moody's writings with interest, but with his post Why Single Sign On Systems Are Bad I think he's made a rare slip. Here's a note to Glyn on why I think he's wrong on this occasion:

You conflate single sign-on (SSO) and single identity. OpenId lets you have SSO and lets you have a separate identity for each web site you visit. It's called Directed Identity, and Peter Williams gives a good explanation of it.



Yahoo! implement directed identity. Anyone with a Yahoo! account that signs in to websites using OpenId automatically has a different ID for each web site. When you sign in to the web site you just type yahoo.com in the OpenId box, and Yahoo! magically works it all out.

I got that last paragraph wrong. As Will Norris explains, Yahoo! implements identifier select and can give an opaque URL, Yahoo! does not support directed identity. Google does support directed identity.

5 comments:

  1. In the link you give, Peter Williams writes: "The identity provider would, of course, understand that all these single use identities are really all part of the same identity." That's the problem with the the SSO that really interests me: the UK government's ID card/ID database. The identity provider is the *government itself*, and so would be able to link all those disparate identities together. Each department might think they were separate, but the security services certainly wouldn't....

    ReplyDelete
  2. But you can have SSO without a government ID card scheme. OpenId gives you that, and you can use it now. My point is that SSO should be left out of the ID card debate, it's not relevant.

    ReplyDelete
  3. Actually, Yahoo! does not implement directed identity. They DO support identifier select along with an opaque identifier, but the identifier is the same for every relying party. I actually wrote on this topic yesterday: http://willnorris.com/p/797

    ReplyDelete
  4. You're right, of course, you can have SSO without the ID scheme. But even those have an identity provider, which will be subject to government requests to allow access to consolidated information about people. Better not to have that all together in one place.

    And what concerns me is that one of the specious reasons the government gives for bringing in this system is that SSO makes life so much simpler, that we'd be mad not to embrace it. And for most people, SSO probably does sound beneficial; that's why I wanted to emphasise - somewhat sensationally - the problems. Shocking, I know.

    ReplyDelete
  5. Thanks Will, I've updated my post to correct the muddled terminology you pointed out.

    ReplyDelete