This morning I got the final copy of this report so I popped it straight up onto the JISC site, which means you can see it around lunchtime if you click here.
We feel this is an important report for the sector as it reviews a technology that we constantly get asked questions about and up to now we haven’t had authoritative answers for. OpenID is, without a doubt, an important technology but up until now there hasn’t been a comprehensive review of how it could be used in the higher and further education sectors. This has led to a lot of speculation and rhetoric with very strong advocates for the technology but, equally, very strong critics. We’re hoping this report will inform the debate, particularly given the project has also developed a gateway between OpenID and the UK federation so those with OpenID credentials can access Shibbolised resources (subject to the resource provider being happy with providing access).
Overall, the conclusions were:
i) there is considerable interest in OpenID in the commercial market place, with players such as Google and Microsoft taking an active interest. However,
ii) all commercial players want to be OpenID providers, since this gives them some control over the users, but fewer want to be service providers since this increases their risks without any balancing rewards
iii) until we can get some level of assurance about the registration of users and their attributes with the OpenID providers, it won’t be possible to use OpenID for granting access to resources of any real value. In other words, without a trust infrastructure OpenID will remain only of limited use for public access type resources such as blogs, personal repositories, and wikis
iv) imposing such a trust infrastructure with barriers to the acquisition and use of OpenIDs may be seen to negate its open-access, user-centric advantages
v) OpenID has a number of security vulnerabilities that currently have not been addressed, but at least one of these is also present in the current UK federation.
The implications from this are:
i) Whilst OpenID does have its security vulnerabilities and weaknesses, some of these are also shared by Shibboleth as it is currently designed. Other technologies may subsequently solve these and therefore this could have implications for the UK federation.
ii) The UK federation as currently deployed has a significant shortcoming which is the readiness of IdPs to disclose the real-world identity of users to SPs (as distinct from providing opaque persistent identifiers to support simple customisation). This is not a technical shortcoming but an operational one. Whilst it is relatively easy to solve, until it is, it limits the applicability of Shibboleth to personalised and other services which need to know who the users are. OpenID does not suffer from this limitation and therefore there might be use for it in some scenarios where trust issues can be resolved.
And, finally, the recommendations are:
i) The UK academic community should keep track of both OpenID and CardSpace identity management systems as they evolve. There is clearly a great demand for a ubiquitous secure identity management system, but no consensus yet as to what this should be.
ii) Now that a publicly available OpenID gateway has been built, publicise its availability to the community and monitor its applications and usage. If usage becomes substantial, consider productising the service.
iii) Consider offering a more secure and more trustworthy gateway registration service for SPs that do not use, or use more than, the eduPersonPrincipalName attribute. This will allow them to use OpenIDs for authentication and a wider selection of eduPerson attributes for authorisation. (The current self-registration service is clearly open to abuse).
I’d welcome any comments on the report and/or gateway. I think what we need to do is to keep the debate going and share experience to ensure that researchers and learners can get the most of OpenID.