HTTPS provides the foundations of secure computing on the Web. But security doesn’t stop at the transport layer. Having looked at how HTTPS provides confidentiality and integrity, we can now begin to address higher-order challenges, starting with identity.
Both HTTP authentication and HTTPS (with client-side certificates) can be used to identify consumers, but they do so in a way that places the burden of identity management on the service itself. Keeping track of consumers is a hard problem, but it shouldn’t be our problem as business service providers. Instead, we’d like to delegate identity management to services that know how to do identity management well.
One solution to this problem is to decentralize identity management. OpenID is a protocol that allows consumers to present claims about their identity to services such as Restbucks, where an identity provider trusted by Restbucks has authenticated those claims.
OpenID doesn’t solve trust. A service may accept the identity claims presented by a consumer, but only because it trusts the provider through some out-of-band mechanism. This doesn’t, however, mean the consumer is automatically entitled to interact with all aspects of the service.
OpenID allows a service or relying party to delegate the responsibility for storing consumer credentials to one or more OpenID providers. The providers are responsible for checking OpenID consumers’ credentials and informing the relying party if an identity ...