| FAQ |
 |
| How does the Institutional Web of
Trust compare with OpenID? |
|
| There is a great deal of controversy surrounding OpenID brought on primarily
by those who have over hyped the potential of OpenID. |
|
| As Stefan Brands (an information technologist specializing in digital
identity, security, and privacy) so clearly stated, "OpenID was designed as a
lightweight solution for 'trivial' use cases in identity management: its primary goal is
to enable Internet surfers to replace self-generated usernames and passwords by a single
login credential, without needing more than their browser. Concretely, OpenID aims to
enable individuals to post blog comments and log into social networking sites without
having to remember multiple passwords. Beyond this, OpenID is pretty much
useless. The reasons for this are many: OpenID is highly vulnerable to phishing
and other attacks, creates insurmountable privacy problems, is not a trust system, suffers
from usability problems, and makes it unappealing to become an OpenID 'consumer.'"[ref]
|
|
| The original OpenID authentication protocol was developed
in May 2005. While there are many organizations that offer OpenID, very few users
have actually created OpenID accounts. The fact is that most users do not understand
the concept of pasting a URL into a sign on field instead of using a user name and pass
word. |
|
| The primary problem with OpenID from an identity
management perspective is that there is no coherent security model for OpenID; because of
this, OpenID is relegated to a Level 1 Assurance system ("Little or no confidence in
the asserted identity’s validity.") by the federal government.[ref] |
|
| In contrast, the Institutional Web of Trust uses a “hard” cryptographic token within a coherent security model and
is a Level 4 Assurance system (the highest level; "Very high confidence in the
asserted identity’s validity.").[ref]
|
|
 |
