When I stumbled upon OpenID quite a while ago (two years?), I was immediately intrigued by it: having one logon for everything is great. But on the same time I didn’t really get it; how could other websites know who I was. Supposedly, I was just to attached to the default username/password/account combination that I didn’t immediately realized the separation between authentication and authorization. And that is maybe one of the main problems with OpenID: when I don’t get it instantly, how is my mother supposed to get it? On the website I didn’t read a 5-second explanation that really gave the message why one should want to use OpenID (nowadays they do better in delivering the message: OpenID is an alternative for remembering multiple usernames/passwords).
But anyway, I wanted to use OpenID :) At that moment I had to make an important decision: which provider to use? I could use a hosted provider (at that time Google, Hyves, and others weren’t providers yet), or I could host my own. As I don’t want to become dependent on a provider to log on to other websites, I decided that using openid.org, myopenid.com, claimid.com or something similar was not the way to go (or, as you could do now: using your Google/Hyves/Facebook account). I still think that that was a good decision.
You don’t want to use the email address of your Internet Provider (when you switch provider, or it changes its name (worldaccess -> wxs -> planet), you don’t want to have to use a new emailaddress….), and you don’t want to use a specific provider for your online identity. You definitely don’t want to come in the situation that your OpenID provider shuts down (for whatever reason..), and you’re not able to log on to any website anymore… For both your email and your OpenID you certainly want to use your own domain that is fully under your control.
So, with that decision made, I started looking for solutions for running my own OpenID provider. phpMyID seems to be the project of choice. Doesn’t seem to be too complicated to install, etc. However, I still had my doubts: was installing phpMyID secure enough? I wanted to look into that before installing it. So, I just postponed it…
Until today :)
Earlier today, I installed phpMyID, and it just took minutes. It’s very easy to setup. However, I still had a feeling… Why do it myself. To prove that I could do a better job than a hosted service? I’m not running my own mail server either, right? I just use Gmail to read my mail. What if I made an error in configuring it? Or, if a security issue is discovered and I don’t update soon enough? Then, all of a sudden all my accounts are compromised. Basically, I don’t want to run my own OpenID server… I want to use my domain as the identifier, but use a hosted solution.
And nowadays, using delegation, I can! You can add a few headers to your HTML page pointing to a 3rd party OpenID provider. In WordPress, there is a nice plugin to do that for you. So, I deleted phpMyID, installed the plugin, signed on to myOpenID, forwarded davidbaakman.nl to davidbaakman.myopenid.com.
When myOpenID.com stops, closes, or I just want to stop using the myOpenID service, I can just choose another OpenID provider, forward davidbaakman.nl to that provider (or, decide to run my own server anyway) and still access my accounts.
Maybe in the future I will try to use the client-side certificate of MyOpenID, so I don’t have to use a password to log onto myOpenID. And maybe I could use the OpenID plugin of wordpress for authenticating comments. But I’m not sure of that…