It has taken me quite some time to come to grips with OpenID. Why? Because I trust no one. When I first started playing around in the Identity arena, I thought it was a great step forward in protecting my identity. Minimal, and only information I allow, is released to the requesting party. The requesting party has no need (and should not unless absolutely necessary; after informing me they are doing so) to store any of the information provided with my identity. This doesn't mean though that they can't store other information to make my experience at their site better.
Take your favorite on-line store for example. It eventually should be possible to login into their system using your identity (leaving it vague right now what type) and maybe have a profile they store that's tied to your identity so that they can tailor their site to you, say promoting only products in categories you are interested in, like computer gadgets rather than dishwashers. This all sounds great, so what's my problem?
I am paranoid when dealing with companies involved with marketing. I typically would be browsing their system through anonymous proxies and be using site specific email addresses if I need to register. In most case I browse on-line stores to compare products, product reviews and prices and only shop at a handful of stores I actually trust. So to get the personal integration on all these sites, I would either be using my OpenID or an InfoCard to logon. The difference between these two technologies is where I start having some issues with OpenID.
A site storing any information on my would need to key off my OpenID. There is no other identifier that will remain constant every time I logon to their system. This means that every system I logon to using that same ID will store and key off the same identifier. In my head this makes it all too easy for data collection to begin. People are always worried about their government collecting and mining data about people. I am more worried about companies because it is easier for the government to just buy this information from the companies that have already done the leg work and are selling it. What is worse is that the OpenID is a URL, so additional information discovery, potentially more personal data, is also possible. Just imagine if you use the same ID if you want to comment on a blog. It is not uncommon that your ID might be displayed, which is just another piece in the puzzle for the data collection companies.
Under InfoCards, things are a little different. Typically the Private Personal Identifier (PPID) is used to link everything together. This identifier remains constant every time you use an i-card to log into a specific site. Now what separates this from OpenID is that the same card will produce different PPIDs for every different site it is used with. There is no way for different systems now to tie any of your information together based on the PPID. Although I haven't tested this, I believe it may be possible, at least with self-asserted cards, for systems to tie information together based on your public key. As long as I have not included any personally identifiable information, or the systems actually obey the
Laws of Identity, unlike OpenID, there is no where to go for the data collectors to gather more information. My public key doesn't map out a path for a collector to follow, which cannot be said for using a URL.
I am not arguing against one or the other technology here, because I have found that each have their pros and cons and it really depends upon the situation when I might prefer one over the other. I will be posting a follow up to this entry soon covering some of my opinions of when and why I would prefer to use one over the other. A lot of this has to do with personal preference, but I already told you I am paranoid. There are times when I want people to know who I am and other times I don't. Now don't even get me started on what I think about the social networking craze.