[OpenID] Reconsideringhttp://openiddifferent from https://openid
Dave Kearns
dkearns at gmail.com
Fri Sep 21 22:34:31 UTC 2007
From: Peter Williams
>
> The problem statement is
>
> The web is cheap, cost effective and sufficiently safe for 80% of
> users and usages. It is less safe for those the business to
> business usages that demand quality and security in the 80-85%
> user/usage safety band. The goal of OpenID is to deliver
> cost-effective WebSSO to this 80-85% band of users and usage
> quality, bringing down the cost of WebSSO deployment and
> operation to that equivalent to the cost of deploying and
> operating a general purpose web server, whilst suffering a
> marginal and tangible increase in residual risk.
>
I've got to strongly disagree with these numbers. OpenID is, of course, an
authentication mechanism. The 80% of the web that is "cheap, cost effective
and sufficiently safe" contains very few authentication ceremonies. It's
purpose (at this point, but not its original purpose) is to supplant
username/password transactions. I don't know the % of web transactions that
are authorized only after a username/password authentication, but it's a lot
less than 80% and, I'd wager, a lot less than 20%. And any increase in risk
should be countered by a decrease in value of the transaction. That brings
us, once again, to the point where OpenID is fine for transactions with no
apparent monetary value but also no apparent reputation value...
-dave
More information about the general
mailing list