On both the Internet and behind the firewall, the identity problem gets uglier every year. How many passwords do you have? If you’re in IT, how much pain do you go through getting your all your apps to share a notion of who someone is? There are a lot of smart people working on these problems, but progress has been crushingly slow. We’re doing a little something with OpenID this week that won’t turn the world inside out but I think shows that progress is possible.
OpenID (see my previous write-up) is a cheap-and-cheerful easy-to-implement way to bind an identity to a URI. It allows a Web site talking to a browser to look at the URI and reliably ask its server to confirm (or not) that the person behind the browser has OpenID rights to the URI. It’s simple, straightforward, and it works.
Unfortunately, at the moment, it isn’t good for much, because the OpenID might be pointing at a server that’s evil or silly. It’s good enough for blog comments and that’s about it.
Sun’s an Internet company and so the Identity cabal here really likes OpenID’s notion of using a URI for an identifier. The experts here think there’s a whole lot more to the identity problem than that, but it still feels like a good start. (Bear in mind that one of Sun’s most successful product areas is Identity software, in the directory and access-manager space). So we’re doing an announcement today that says, more or less, “We like OpenID and we’re going to start supporting it more.”
What’s more interesting is that we’re rolling out an OpenID provider, but with a twist: You can’t get an OpenID there unless you’re a Sun employee, and if someone offers an OpenID whose URI is there, and it authenticates, you can be really sure that they’re a Sun employee. It doesn’t tell you their name or address or anything else; that’s up to the individual to provide (or not). The authentication relies on our Access Manager product, and it’s pretty strong; employees here have to use those crypto-magic SecureCard token generators for serious authentication, passwords aren’t good enough.
The applications are obvious; if anyone wants to offer deals or special treatment online to Sun employees, well, that’s easy now. (I know of at least one company named after a fruit whose online store offers a nice Sun employee discount based on knowing a “secret” URL; this would have to be a much better alternative).
I suspect there are a few other problems like that. At last Java One I was talking to a CIO from a big community college with tens of thousands of students, and literally dozens of external partners who wanted to be able to verify that someone behind a browser was in fact a student; this would take care of that cheaply, neatly, and safely.
What’s probably more interesting in the big picture is that
openid.sun.com shows that OpenID can be put to work on something
with actual business value.
The technology is pretty interesting too. Our Access Manager product is a big, mature, enterprise-scale offering, but that group really hadn’t imagined an application like this, so there was quite a bit of engineering involved in getting it to talk OpenID to the Web at large. But it works now, and I’m hoping one of the developers will blog the details. It’ll be open source, of course.
This does not mean the Identity nut has been cracked, in the big picture. But I’m a huge fan of solutions to big problems that start out small, simple, and efficient; this qualifies.