I’m trying to wrap my brain around this whole OpenID thing, and I took the first step tonight. As with most things, I obsessively read about it online, searching for “the best OpenID provider.” I’m still torn as to whether it’s more secure to have a provider host my OpenID for me, or to run it through this site. I couldn’t really find a consensus online, so if anyone has any info, it’d be much appreciated. From what I understand, both have security risks, but if your site is hosted somewhere that you can feel confident about security, that’s the better option. As my site is still on a cheap shared hosting plan, I’m wary.

So I decided to sign up with a provider, but not store any sensitive information yet (other than my email, and it doesn’t take much effort for someone to find that). The first place I went was Verisign, since I liked the fact that they are in the security business to begin with. I signed up for an OpenID, but there are a couple things I didn’t like about their service. Most importantly, I don’t like that they keep a running record of your activity with your OpenID. It strikes me as an invasion of privacy on some level that they are storing that data. And it was also pointed out in a comment on Simon Willison’s blog that if someone were to hack into my account through Verisign, it would make it that much easier for them to do some real damage. Secondly, I found out that it’s missing a built in phishing protection feature on myopenid.com.

Even though it seemed counterproductive to now have 2 OpenID’s, I went ahead and signed up on myopenid.com. Their phishing protection involves a preference that you can set where you have to manually go to myopenid.com’s sign in page to log in, rather than being redirected from the site you were logging onto with your OpenID. What happens when you try to log in to a site using your OpenID is that you are redirected to your OpenID provider to log in there if necessary. It’s therefore like a phisherman’s paradise, as all they have to do is create a reasonable facsimile of the provider’s log in page to get your password, and access to every site you visit on the net.

My reaction to the whole OpenID thing is that in 2-3 years, it’ll be a viable option for most heavy internet users, but I’m not so sure I want my data to be one of the guinea pigs.

Here’s are some links where I got much of my information:
Simon Willison’s Blog
OpenID Wiki
ifacethoughts.com
Demomarks
Center Networks