The OpenID process / project was new to me, but I did a little looking around.

(Based on what I see, in the world I operate professionaly, this open source Identity Management will likely never happen in the current form)

It seems much like what Microsoft tried some years ago with a central "Passport" UN/PW service that at the time was marketed for wide use but I didn't see really take off. This has apparently morphed into the newest version called Windows Live ID. Both seem to be after the same benefit, yet seem the opposite in terms of the "who holds the key". The difference being instead of a large centralized (MS) "depository" of the ID information, the OpenID is decentralized, yet all players are expected to follow protocols for some semblance of standardization. This seems confusing to me for a couple reasons.

For review:

www.openID.net

ZDNet article on OpenID

Windows Live ID

I admit managing a dozen or more accounts in various private and work settings is mind boggling and some unique authentication process would help. But I'm not sure if I correctly read all of this game totally.

For example, there is also the issue of identity management for non-users too. If folks see an article by SteamGeek, or Liza, or Tara, or Mole333 - in any one of dozens or hundreds of Webpages, how do they know they are reading material from the same author? For that matter someone like Mike Royko may well have be seen in syndication all across the country, but are we talking about the same issue in the digital world?

I for one think trademarks are a relevant part of this conversation.

So how do folks know who they are dealing with? And in the virtual world, normal physical based authentication methods are pretty much of no value (Card key or Biometric methods require a physical presence).

Many modern corporate environments require the newer MS strong passwords that not only contain upper and lower case letters but also "special characters' AND also require the changing of the password on some standard schedule AND the server remembers the most recent few passwords and doesn't allow repeats of any recently used ones.

It seems the "Big Guy" or guys want to offer a solution to the complexities of multiple and widely distributed UN/PW standardization, and the open source folks who always want to "go independent and decentralize" want to also offer an alternative.

This leaves us with the new quandary at a higher level, being legitimacy.

I for one predict NIST will get involved in this, if they aren't already.

Will banks or colleges or airlines or on-line retailers recognize or buy into either the big player centralized service, or the decentralized independent service? Both, or neither one?

Do I want to use the same identity manager for my efforts on sites such as CulterKitchen or MySpace or Blogspot, as I use for my banking and other financial services? Microsoft would like me to, I worry about security integrity of the independents who would host the OpenID. And as I understand it, a site such as CultureKitchen would not have control over whom a person chose to utilize for the OpenID service, just that they used "someone".

The materials I reviewed suggested encryption technologies may be ranging from weak to strong with potentially unlimited variations in between based on open source customizations. This seems to leave it wide open for dozens or hundreds of "levels of security quality" and as widely distributed "Identity hosting services" could be anything from an IBM secure server farm to an guy in his boxer shorts with a T1 line and few Dells in the basement 0 I wonder who's verifying the identity of the identity verifiers?

Something will have to happen. The IT Client / Server game and the Web Services / Integration game is getting too complicated to manage as we get more and more spread out amongst various sites that have no common business link between them.

It would not surprise me to see an Industry Centric ID mangement process evolve out of this? For example the publishing community could "endorse" a select one or many ID providers who meet some sort of community or trade association standards for quality and security. It may be the trade association themselves will get in the ID service business.

I do not know what the answer is, just that managing the multiple UN/PW (s) is difficult from a user standpoint, I can't imagine the difficulties from a Web hosting standpoint.

Just because I like to play with my old book, I offer the following quote just for fun:

From The Steganographia of Trithemius, Books I and III. Johannes Trithemius, March 1500, translation of 1606 Frankfort edition by Fiona Tait and Christopher Upton.

Comments RE who is worthy of knowing the secrets in prologue to Book I.

Comments RE authentication: "The operator must also beware that he does not direct a messenger* anywhere without a letter or at least the sign of his commander since if he does not see the sign marked he will be utterly unwilling to obey the caller and carry the secret to anyone. Although we can send a secret through the messenger alone without a letter, we send a letter for two reasons: to keep the man bearing the sign from suspicion and so that we may compel the messenger, bound by his own sign, to give obedience to our friend. Here finishes the first Book of the Steganographia of Johannes Trithemius, Abbot of Spanheim. 27th March 1500."

* Italics, word substituted by SG to protect the faint of heart.