The problem with BrowserID and OpenID (and other website registration stuff)

Both Mozilla’s up-and-coming BrowserID technology, and OpenID still have one fatal flaw – reliance on a single authority.

There’s no inherent recovery capability in either of these solutions – in order to be able to put full faith in them, I need to be able to revoke an identity and migrate to a new one at will. BrowserID concentrates the identity on the email address – which means my identity is in the hands of my ISP, a free mail service, or I have to pay money to host my own mail server. OpenID has the same problem – my identity is either in the hands of a public web service, or I have to pay to host a site.

Websites that implement their own registration are even worse. They usually rely on the registered email address, and may even revert back to an older email address even after you switch email addresses – so if your email is compromised, you are SOL.

Ultimate control needs to be firmly in the hands of the user – in the form of something that can be used to prove you the same person who created an identity, and replace that identity with another, whenever it proves necessary. The information, key, or token to do that needs to be safely in my hands, not with my identity provider.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s