OpenID is a decentralized system to verify one's online identity. While it is not intended to prevent spam or create a trust metric,^[1] it solves the single sign-on problem without relying on any centralized website to confirm digital identity. OpenID users identify themselves with a URI or XRI which they own, such as for a blog or a home page. Since OpenID is decentralized, any website can employ OpenID software as a way for users to sign in. Image File history File links OpenID_logo. ... To meet Wikipedias quality standards, this article may require cleanup. ... Look up spam, SPAM in Wiktionary, the free dictionary. ... In psychology and sociology, a trust metric is a measure of how a member of a group is trusted by the other members. ... Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems. ... Digital identity refers to the aspect of digital technology that is concerned with the mediation of peoples experience of their own identity and the identity of other people and things. ... A Uniform Resource Identifier (URI), is a compact string of characters used to identify or name a resource. ... eXtensible Resource Identifier (abbreviated XRI) is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers and Internationalized Resource Identifiers, developed by the XRI Technical Committee at OASIS. The goal of XRI is to provide a universal format for abstract, structured identifiers that are domain-, location-, application... To meet Wikipedias quality standards, this article or section may require cleanup. ...

On OpenID-enabled sites, Internet users do not need to register and manage a new account for every site before being granted access. Instead, they only need to be previously registered on a website with an OpenID "identity provider", sometimes called an i-broker. They can also link to this identity provider from another website they own and log in using that website's URI instead, allowing them to connect their identity to their website. A website which accepts sign-ins from OpenID is called a "relying party." An i-broker is a banker for data or ISP for identity services — a trusted third party that helps individuals and organizations share private data the same way banks help exchange funds and ISPs help exchange e-mail and files. ...

OpenID does not provide its own form of authentication, so it is not meant to be used on sensitive accounts (banking, e-commerce transactions, etc.), but if an identity provider uses strong authentication, OpenID can be used for all types of transactions. For other uses, see Bank (disambiguation). ... Electronic commerce, EC, e-commerce or ecommerce consists primarily of the distributing, buying, selling, marketing, and servicing of products or services over electronic systems such as the Internet and other computer networks. ... Authentication, in the field of computer security is the act of validating an identity based on some factor or factors. ...

OpenID is increasingly gaining adoption amongst large sites, with organizations like AOL both acting as a provider as well as Wikipedia announcing that they will support OpenID ^[2]. In addition, integrated OpenID support has been made a mandatory priority in Firefox 3^[3] and Microsoft is working on implementing OpenID 2.0 in Windows Vista.^[4] Screenshot of AOL.com AOL LLC (formerly America Online, Inc) is an American online service provider, bulletin board system, and media company operated by Time Warner. ... Wikipedia - Wikipedia, the free encyclopedia /**/ @import /skins-1. ... Mozilla Firefox (abbreviated as Fx, fx (prescribed[2]), or FF) is a graphical web browser developed by the Mozilla Corporation. ... Microsoft is one of few companies engaging itself in the console wars Where they are up against sony, nintendo, and of course sharps new console which may cause a threat. ... Windows Vista is the latest release of Microsoft Windows, a line of graphical operating systems used on personal computers, including home and business desktops, notebook computers, Tablet PCs, and media centers. ...

Notable providers and relying parties

Two major identity providers online, AOL and Yahoo!, can currently be used with OpenID. AOL's system, using openid.aol.com/username, is currently in beta. Yahoo has unofficial, third-party OpenID support at idproxy.net. Yahoo! Inc. ...

Websites which use OpenID as an alternative to registration include LiveJournal, Zooomr, Wikitravel, ma.gnolia.com, and claimid.com. LiveJournal (often abbreviated LJ) is a virtual community where Internet users can keep a blog, journal, or diary. ... Zooomr is a website created in 2005 by web developer Kristopher Tate of BlueBridge Technologies Group for sharing digital photos. ... Wikitravel is a project to create an open content, complete, up-to-date, and reliable world-wide travel guide. ...

There is a list of public servers on which someone may get an OpenID at openid.net. .

Development

OpenID was originally developed by Brad Fitzpatrick of LiveJournal, but the term now also includes the Light-Weight Identity, Yadis, Sxip DIX protocol that was proposed at IETF, and OASIS XRI/i-names. Future OpenID specifications are being developed in a meritocratic fashion on openid.net, involving many technology companies, user companies and open-source developers. Brad Fitzpatrick. ... LiveJournal (often abbreviated LJ) is a virtual community where Internet users can keep a blog, journal, or diary. ... Light-Weight Identity (LID) is a system created by NetMesh for verifying identity on the Internet. ... // Fostering online trust relationships YADIS (Yet Another Distributed Identity System) is an open initiative to build an interoperable lightweight discovery protocols for human-centred data exchange. ... Oasis in the Libyan part of the Sahara In geography, an oasis (plural: oases) is an isolated area of vegetation in a desert, typically surrounding a spring or similar water source. ... XRI (eXtensible Resource Identifier) is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers and Internationalized Resource Identifiers, developed by the XRI Technical Committee at OASIS. The goal of XRIs is to provide a universal format for identifiers that are domain-, location-, application-, and transport-independent... I-name - Wikipedia, the free encyclopedia /**/ @import /skins-1. ... This article or section does not cite its references or sources. ...

To help spawn additional deployment, a group of vendors announced a $50,000 USD developer bounty program in August of 2006, offering $5,000 USD each to the first ten large-scale Open Source projects to implement OpenID support.^[5]

Starting with version 1.1, OpenID uses the Yadis service discovery protocol. Currently work is underway developing OpenID Authentication 2.0, though OpenID is now developing into a much more complete framework that will support other identity services besides authentication. // Fostering online trust relationships YADIS (Yet Another Distributed Identity System) is an open initiative to build an interoperable lightweight discovery protocols for human-centred data exchange. ... Authentication (Greek: αυθεντικός = real or genuine, from authentes = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. ...

Intellectual property

R-Objects Inc. filed for the OpenID trademark (serial 78899244) on 2 June 2006^[6] which was published for opposition on 9 January 2007, claiming a first use date of 17 May 2005 and a first use in commerce date of 18 April 2006. Sxip Identity Corporation subsequently filed for the OpenID trademark (serial 77041930) on 11 November 2006^[7] but abandoned it on 23 November 2006^[8]. Randy "ydnar" Reddig claimed ownership of the OpenID logo on 29 June 2005 and announced plans to transfer it to Six Apart (or some OpenID.org). June 2 is the 153rd day of the year in the Gregorian calendar (154th in leap years), with 212 days remaining. ... For the Manfred Mann album, see 2006 (album). ... January 9 is the 9th day of the year in the Gregorian calendar. ... 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the Anno Domini (common) era. ... May 17 is the 137th day of the year in the Gregorian Calendar (138th in leap years). ... 2005 (MMV) was a common year starting on Saturday of the Gregorian calendar. ... April 18 is the 108th day of the year in the Gregorian calendar (109th in leap years). ... For the Manfred Mann album, see 2006 (album). ... November 11 is the 315th day of the year (316th in leap years) in the Gregorian Calendar, with 50 days remaining. ... For the Manfred Mann album, see 2006 (album). ... November 23 is the 327th day of the year (328th in leap years) in the Gregorian Calendar, with 38 days remaining. ... For the Manfred Mann album, see 2006 (album). ... June 29 is the 180th day of the year (181st in leap years) in the Gregorian Calendar, with 185 days remaining. ... 2005 (MMV) was a common year starting on Saturday of the Gregorian calendar. ...

There is a pending USPTO patent application with PCT priority from Denmark of March 9 2001 that covers the central aspects of OpenId.

Six Apart Ltd. are the registrant for the 'official' openid.net domain, which was transferred from David I. Lehn on 16 June 2005. Six Apart Ltd. ... June 16 is the 167th day of the year in the Gregorian calendar (168th in leap years), with 198 days remaining. ... 2005 (MMV) was a common year starting on Saturday of the Gregorian calendar. ...

The official site currently states:

Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community.

Terminology

A basic glossary of the terms used with OpenID:

• consumer — Another word for the end user.
• end user — The person who wants to assert his or her identity to a site.
• identifier — The URL or XRI chosen by the End User as their OpenID identifier.
• identity provider — A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services).
• relying party — The site that wants to verify the end user's identifier.
• server or server-agent — The server that verifies the end user's identifier. This may be the end user's own server (such as their blog), or a server operated by an identity provider.
• user-agent — The program (such as a browser) that the end user is using to access an identity provider or a relying party.

A Uniform Resource Locator, URL (spelled out as an acronym, not pronounced as earl), or Web address, is a standardized address name layout for resources (such as documents or images) on the Internet (or elsewhere). ... XRI (eXtensible Resource Identifier) is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers and Internationalized Resource Identifiers, developed by the XRI Technical Committee at OASIS. The goal of XRIs is to provide a universal format for identifiers that are domain-, location-, application-, and transport-independent...

How OpenID works

A website, such as example.com, which wants to enable OpenID logins for its visitors, places a login form somewhere on the page. Unlike a typical login form, which prompts the user for a user name and password, there is only one field - for the OpenID identifier. The site may choose to display a small OpenID logo next to the field. This form is connected to an implementation of an OpenID client library.

If a user named Alice wants to log in to example.com using the OpenID identifier alice.openid-provider.org that she has registered with the identity provider openid-provider.org, she simply goes to example.com and types alice.openid-provider.org in the OpenID login box.

If the identifier is a URL, the first thing the relying party (example.com) does is transform into a canonical form, e.g., http://alice.openid-provider.org/. With OpenID 1.0, the relying party then requests the web page located at that URL and, via an HTML link tag, discovers that the provider server is, say, http://openid-provider.org/openid-auth.php. It also discovers whether or not it should use a delegated identity (see below). Starting with OpenID 1.1, the client does discovery by requesting the XRDS document (also called the Yadis document) with the content type application/xrds+xml that may be available at the target URL and is always available for a target XRI. // Fostering online trust relationships YADIS (Yet Another Distributed Identity System) is an open initiative to build an interoperable lightweight discovery protocols for human-centred data exchange. ...

There are two modes in which the relying party can communicate with the identity provider:

• checkid_immediate, which is machine-oriented and in which all communication between the two servers is done in the background, without the user's knowledge;
• checkid_setup, in which the user communicates with the provider server directly using the very same web browser used to access the relying party site.

The second option is more popular on the Web; also, checkid_immediate can fallback to checkid_setup if the operation cannot be automated.

First, the relying party and the provider (optionally) establish a shared secret - an associate handle, which the relying party then stores. If using checkid_setup, the relying party redirects the user's web browser to the provider. In this case, Alice's browser is redirected to openid-provider.org so Alice can authenticate herself with the provider. Each secret share is a plane, and the secret is the point at which three shares intersect. ...

The method of authentication may vary, but typically, an OpenID provider asks for a password (and then possibly stores the user's session using cookies, as many websites with password-based authentication do). Alice may be prompted for her password if she was not logged in on openid-provider.org, and then asked whether she trusts, say, http://example.com/openid-return.php - the page designated by example.com as the one where the user should return after completing authentication - to receive details about her identity. If she answers positively, OpenID authentication is considered successful and the browser is redirected to the designated return page with credentials given. If Alice decides not to trust the relying party site, the browser is still redirected - however, the relying party is notified that its request was rejected, so example.com refuses to authenticate Alice in turn.

However, the login process is not over yet because at this stage, example.com cannot decide whether the credentials received really came from openid-provider.org. If they had previously established a shared secret (see above), the consumer can validate the shared secret received with the credentials against the one previously stored. Such a consumer is called stateful because it stores the shared secret between sessions. In comparison, a stateless or dumb consumer must make one more background request (check_authentication) to ensure that the data indeed came from openid-provider.org.

After Alice's identifier has been verified, she is considered logged in to example.com as alice.openid-provider.org. The site may then store the session or, if this is her first logon, prompt Alice to enter some information specific to example.com, in order to complete registration.

OpenID identifiers

Starting with OpenID Authentication 2.0 (and some 1.1 implementations), there are two types of identifiers that can be used with OpenID: URLs and XRIs.

URLs

There are two ways to obtain an OpenID-enabled URL that can be used to login on all OpenID-enabled websites. A Uniform Resource Locator, URL (spelled out as an acronym, not pronounced as earl), or Web address, is a standardized address name layout for resources (such as documents or images) on the Internet (or elsewhere). ...

1. First, to use an existing URL that you control (such as your blog or home page), and if you know how to edit HTML, you can insert the appropriate OpenID tags in the HTML code following instructions at the OpenID specification. Note that using a subdomain can make your OpenID more memorable and quicker to write, but this is not required.
2. The second option is to register an OpenID identifier with an identity provider. They offer the ability to register a URL (typically a third-level domain) that will automatically be configured with OpenID authentication service.

HTML, short for HyperText Markup Language, is the predominant markup language for the creation of web pages. ... HTML, short for HyperText Markup Language, is the predominant markup language for the creation of web pages. ... In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is part of a larger domain. ...

XRIs

XRIs are a new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms -- i-names and i-numbers -- that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name. XRI (eXtensible Resource Identifier) is a scheme and resolution protocol for abstract identifiers compatible with Uniform Resource Identifiers and Internationalized Resource Identifiers, developed by the XRI Technical Committee at OASIS. The goal of XRIs is to provide a universal format for identifiers that are domain-, location-, application-, and transport-independent... Identifiers (IDs) are lexical tokens that name entities. ... I-name - Wikipedia, the free encyclopedia /**/ @import /skins-1. ... I-numbers are one form of an XRI - an abstract identifier designed for sharing resources and data across domains and applications. ... Synonyms (in ancient Greek syn συν = plus and onoma όνομα = name) are different words with similar or identical meanings. ...

See i-name for more about registration and resolution of XRIs. I-name - Wikipedia, the free encyclopedia /**/ @import /skins-1. ...

See also

• Identity Centric Architecture
• Identity 2.0
• Light-Weight Identity
• YADIS
• i-name
• Windows CardSpace
• Liberty Alliance
• Shibboleth (Internet2)
• Whobar
• Extensible Name Service

The introduction to this article provides insufficient context for those unfamiliar with the subject matter. ... Identity 2. ... Light-Weight Identity (LID) is a system created by NetMesh for verifying identity on the Internet. ... // Fostering online trust relationships YADIS (Yet Another Distributed Identity System) is an open initiative to build an interoperable lightweight discovery protocols for human-centred data exchange. ... I-name - Wikipedia, the free encyclopedia /**/ @import /skins-1. ... This subsystem is a part of . ... The Liberty Alliance, also known as Project Liberty, is a broad-based industry standards consortium developing suites of specifications defining federated identity management and web services communication protocols. ... Shibboleth is an Internet2 Middleware Initiative project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. ... [eXtensible Name Service] XNS The development of XML in 1998 led to a digital identity project called XNS (Extensible Name Service) and the establishment of an international non-profit governance organization, XNS Public Trust Organization XNSORG, in early 2000. ...

References

1. ^ OpenID.net. About OpenID.
2. ^ Brion Vibber said "[..] we are gonna support OpenID in the next months [..]" in the Google Tech Talk: MediaWiki/Wikipedia of April 28, 2006 (around 52 minutes)
3. ^ Current Firefox 3 Requirements on the Mozilla Wiki
4. ^ The Register: “Gates: protect Windows Vista users with IP” (6 February 2007)
5. ^ I Want My OpenID community marketing site, including public bounty program (see bounty sponsors)
6. ^ Application #78899244 on uspto.gov
7. ^ Application #77041930 on uspto.gov
8. ^ Notice of Abandonment for application #77041930 on uspto.gov

February 6 is the 37th day of the year in the Gregorian Calendar. ... 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the Anno Domini (common) era. ...

External links

• OpenID official site
• identity.eastmedia.com — OpenID and Identity info at eastmedia
• OpenID Enabled — resource for OpenID users and developers
• Directory of OpenID-Enabled Sites
• Directory of OpenID Providers (Servers)
• OpenID plugin for DokuWiki, initial release described here
• The Case for OpenID — ZDNet article contrasting OpenID with other identity systems by Johannes Ernst (NetMesh) and David Recordon (VeriSign)
• OpenID: The RESTful approach to Single Sign-On - brief overview
• OpenID for non-SuperUsers - by Sam Ruby
• OpenID: One key to many locks - A primer in Hindi blogzine Nirantar on OpenID with a beginners approach.
• BotBouncer - Captcha service for OpenID users - allows you to do a captcha once and have that be remembered for your OpenID.