Pito Salas' Blog

I don't follow the Identify world that closely and like everyone I've now come across services who suggest that you log into them with an [tag]OpenId[/tag] account. So I have one now too. It's free. It's decentralized. What's not to love?

Well apparently it isn't 100% love. Read this article, by [tag]Stefan Brands[/tag], who admittedly seems to be closely associated with a competing service, [tag]Credentica[/tag], which might well be the anti-OpenID. So he's got his own biases:

"[snip...]OpenID was designed as a lightweight solution for “trivial” use cases in identity management: its primary goal is to enable Internet surfers to replace self-generated usernames and passwords by a single login credential, without needing more than their browser. Concretely, OpenID aims to enable individuals to post blog comments and log into social networking sites without having to remember multiple passwords. (Of course, local password store utilities already do that; more on this later.)[snip...]" (from The Identify Corner)

Still this long article quotes many many other writers, so whatever the bias it is shared by many. And from my "B+" level of knowledge of the broad world of security, there's some highly valid criticisms in here. You should read the actual article, but here's a nice laundry list to get you going:

"[snip...]Beyond this, OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.” Many smart people have already elaborated on these problems in various forums. In the rest of this post I will be quoting from and pointing to their critiques.[snip...]" (from The Identify Corner)