Open ID - an attempt to optimise a useless process?

Article in the New York Times re Open ID and its lack of security. Most security experts believe that Web site hosts must be persuaded to adopt information-card technology for encrypted sign-ons, but:

We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory. Representatives of Google, I.B.M., Microsoft and Yahoo are on

OpenID’s guiding board of corporations. Last month, when MySpace announced that it would support the standard, the nonprofit foundation

OpenID.net boasted that the number of “OpenID enabled users” had passed 500 million and that “it’s clear the momentum is only just starting to pick up.”

Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.

Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.

Readers of this blog will know we also think Open ID is at best a distraction, trying to optimise a fairly useless process, and not very user friendly to boot (I've gone back to just using Passwords). However, implementing cryptographic processes is non trivial, the major players do not seem to be collaborating at the moment, and there do not seem to be agreed standards emerging rapidly for it either. In other words, Passwords and Open ID may not be perfect, but are out there and being actively pursued - and as we have seen many times before, being the better technology is no guarantee of adoption.

Perhaps we need an Open Encryption movement (if that's not a Oxymoron)

Update - good discussion going on over at Slashdot

Update II - a related story from El Reg dealing with Google security flaws - in essence by Google collecting lots of data and having lots of gadgets on your toolbar, it leaves you open to compromise.

Update III - Open ID blog responds to the article - very considered post.