Search our Site

There’s a lot of momentum and buzz behind OpenID lately. More and more services and websites are accepting OpenID logins as well as offering OpenID authentication services to its users.

I love this.

After reading Tim Bray’s post about Sun’s implementation of OpenID, the wheels in my mind began turning. He explains that Sun’s OpenID is only for Sun employees. Ergo: Sun OpenID == Sun employee.

What’s more interesting is that we’re rolling out an OpenID provider, but with a twist: You can’t get an OpenID there unless you’re a Sun employee, and if someone offers an OpenID whose URI is there, and it authenticates, you can be really sure that they’re a Sun employee. It doesn’t tell you their name or address or anything else; that’s up to the individual to provide (or not). The authentication relies on our Access Manager product, and it’s pretty strong; employees here have to use those crypto-magic SecureCard token generators for serious authentication, passwords aren’t good enough.

The applications are obvious; if anyone wants to offer deals or special treatment online to Sun employees, well, that’s easy now. (I know of at least one company named after a fruit whose online store offers a nice Sun employee discount based on knowing a “secret” URL; this would have to be a much better alternative).

I suspect there are a few other problems like that. At last Java One I was talking to a CIO from a big community college with tens of thousands of students, and literally dozens of external partners who wanted to be able to verify that someone behind a browser was in fact a student; this would take care of that cheaply, neatly, and safely.

This is brilliant because in addition to authentication based upon a decentralized service, it also confers group identity in addition to individual identity. So, what if CTFC ran an OpenID server and conferred authentication services based upon our own version of OpenID for our grantees. Voila, you have a way of providing additional trusted relationships with anyone that you wanted to partner with.

What does this mean for CTFC and foundations and any other resource provider in the real world?

I want to create: CTFC OpenID == CTFC Grantee.

Now what if we entered into a relationship with a web service—say a hosted blogging company or, gracious, an on-demand CRM company? What if we said that as long as an individual has a valid CTFC OpenID that they could login to their system and gain access to services.

No muss, no fuss. Just up and going. Because you own your identity. But we confer benefits based upon group identity.

I like this idea very much.