« Use of open content licences by cultural heritage organisations - report now available | Main | Animoto »

November 17, 2007

OpenID - every student should have one

Our OpenID event took place in London last Thursday and various materials from it are now available (photos, slides and blog entries).  (Note that at the time of writing Gavin Bell's presentation is missing in action - we are working on making it available as soon as possible).

I found the day very interesting and worthwhile, if a little stressful because of having to act as chair (not my favorite activity if I'm honest).  The presentations were all very good and we had a lot of interesting discussion, both in-between talks and in the panel session at the end.

I started with some scene setting.  My original plan was to do this from the somewhat theoretical perspective of how learning and research are changing in academic institutions.  However, in preparing my talk, I realised that most of the pertinent issues would be covered by later speakers.  Instead, I chose to get personal, describing the ways in which I see Web 2.0 changing the way my family live their lives.  The point was to show that the management of our online identities is increasingly a user-centric and lifelong activity - it doesn't start and stop at the system-induced transition points of our lives (going to school - leaving school, going to uni - leaving uni, getting a job - leaving a job, etc.).  In consequence, there is a danger of us offering a poor fit to our user's requirements if the approaches to identity management that we adopt are too rooted within particular sectors or phases of sectors.

P1040413 David Recordon (Six Apart) (pictured) gave a very nice overview of where OpenID is now and where it is going in the future and I recommend looking through his slides for anyone not there on the day.  I'm hugely grateful to David for stopping off en route between Berlin and California to give this presentation.  But I should also apologise - we were hoping to record audio for the whole event and turn the slides into slidecasts.  Unfortunately, a combination of trying to both chair the day and look after the recorder meant that I screwed up rather badly :-(

David's presentation covered so much ground that it is hard to summarise here.  However, it was interesting that he noted that OpenID, as a technology, is still too visible in the user's experience of the Web.  He predicted that, over the next year or so, we will begin to see tools such as Web browsers getting much better at hiding away some of the complexity of OpenID transactions.

It seems to me that this is a good example of why the education community stands to gain by going with more mainstream approaches such as OpenID.  Mainstream technologies get embedded into the fabric of the tools we all use - community-specific technologies do not, or if they do it takes much longer.

Gavin Bell (Nature Publishing Group) talked about the way that academic research and scholarly communication is changing, the impact that the Web in general and social tools in particular are having on that, and what role OpenID might play in that space.  He noted that however good the current approaches to identity and access management in the education space are, they haven't enabled personal interactions with Web services on the wider Internet beyond education.  Once again, the point is that we have tended to do things differently in academia and we need to go more mainstream.

He put forward some interesting analogies during his talk.  Firstly that OpenID is a bit like the Oyster Cards in use on the London Underground in the sense that it provides an additional way of getting into the system, layered over the existing facilities, but without compromising them in any sense, or requiring them to be updated or removed.  Secondly that there are similarities between the players in the OpenID business and the players in the fish & chip shop business - there are providers, there are consumers, and the providers are almost always also consumers! :-)

He went on to suggest that every student should have an OpenID, possibly thru some sort of central, trusted OpenID provider within (or closely aligned with) academia.  Various members of the audience questioned the approach, arguing that any centralisation of services brings with it the danger of a single point of failure and that institutions are well placed to administer OpenIDs themselves.  This is a discussion still to be had (it surfaced several times during the day) but I don't think anyone disagreed with the central proposition, that some kind of trusted provision of OpenIDs to all members of the education sector seems like an obvious next step.

He suggested that OpenID, as an identifier, might provide an important and necessary addition to the scholarly communication infrastructure - in the form of identifiers for people.  That said, he also noted the significant security and privacy issues brought by the use of a single identifier (or small number of identifiers), potentially allowing information that is currently held separately to be pulled together and aggregated into a single body of knowledge about the individual.

Gavin was followed by Nicole Harris (JISC), who talked about the wider issues around Identity 2.0 and what JISC is doing.  Nicole noted the significant level of interest within the community around OpenID at the moment (part of the reason why we set up the meeting of course) leading to JISC initiating various activities in this area.  She also noted the fit between Shibboleth and OpenID, describing user-centric identity as a natural progression from what we have now.  I very much agree with this.

However, she also noted the difference between managing identity as a way of "controlling access to protected resources" and managing identity as a way of sharing information "about me ".  She questioned whether individuals can be trusted to manage their online identities, noting in particular the cavalier approach we have to things like installing new Facebook applications and accepting out of date certificates in our Web browsing sessions.  She suggested that institutions need to review their role as identity and service providers, in particular suggesting that the role of the institution is different when it has funded access to particular resources than when it hasn't.  Like Gavin, Nicole also noted the potential value that OpenID brings to initiatives working towards people identifiers, such as the JISC-funded Names project.

Interestingly, she said that we will be seeing institutions signing up for the UK Access Management Federation using OpenID rather than Shibboleth in the relatively near future.  I must admit that I hadn't realised that was on the cards yet.

Nicole ended with a quick summary of what JISC is doing in this area, including various reviews and studies, but noting in particular that the infrastructural nature of 'identity' means that it will potentially touch on many of JISC's current programmes.

After lunch we had presentations from Sean Mehan (UHI) and Scott Wilson (Institute for Educational Cybernetics at the University of Bolton and JISC CETIS). These presentations provided two institutionally-oriented perspectives on OpenID, Sean speaking primarily from the point of view of computing services and Scott giving us a rather more academic perspective on the role of OpenID in elearning.

Sean reminded us that the ICT expectations of staff and students entering higher education are changing rapidly - they want to make use of externally provided services and there is little that institutions can do to stop them.  OpenID can be seen as an access point into these services, allowing externally-held content to be re-integrated into institutional service provision.  This requires a significant change of mindset for institutions, not least because it will feel like they are giving up a lot of control.  Such integration might include pulling external content back into the institution for the purpose of preservation, audit trails and assessment.

There are risks in this approach of course but Sean argued that there are always risks and that the use of OpenID does not make things significantly worse.  He suggested that institutions should become OpenID providers for their members (or delegate that responsibility to someone else on their behalf).  Furthermore he argued that for trust and operational reasons, institutions are unlikely to allow their members to use OpenIDs from non-institutional providers.  Allowing people to use other OpenIDs will "be a step too far" for most institutions.

Educationasasystem_2 Scott gave us a systems perspective on education, arguing that one of the fundamental tensions within institutions is coping with the fact there are relatively large numbers of students and relatively small numbers of teaching staff.  This tension is resolved in two ways - firstly, through resource bargaining, either within the institution or between the institution and its funders (leading to adaptations of the system in one way or another) and secondly, through the development of informal student peer-support mechanisms (leading to less demand on the formal parts of the system).

Scott argued that only 40% of learning happens within the formal systems of education - the rest happening through informal social networks.  However, institutional approaches to learning have historically developed in an environment where the institution owned all the technology and the student very little.  Clearly, this situation no longer applies. If 60% of a student's learning happens outside of the formal systems of the institution using technology that isn't owned or controlled by the institution then we need new approaches.  Institutions need to recognise that they can only be viable if they give up trying to manage everything. 

How does identity management relate to this?  Well, institutionally or nationally provided identifiers fit well with resource bargaining, controlling entitlements, accreditation and the other aspects of formal systems within the institution.  On the other hand, OpenID (or other user-centric approaches to identity management) fits well with the informal parts of the system.  More importantly, OpenID offers a useful axis through which the formal and informal parts of the system can be coordinated.

Echoing Sean's suggestion that institutions should become OpenID providers for their members, Scott suggested that another reason why institutions will be reluctant to give up their role as identity providers is because their own organisational identity is to a large extent built on the collective identities of its members.

Scott closed by summing up what he liked about OpenID - the fact that it is not an authentication system (echoing a comment by one of the earlier speakers that it it is "just a pipe"), that it doesn't "verify identity" or "identify the user" (OpenID is just a useful "proxy for the user"), that it doesn't assume policy alignment or trust, and that it is not a provisioning system.  All it does is to provide "a means for asserting a relationship between an agent (not necessarily a person) and a URL, how cool is that?".

Scott's presentation was a good place to end the talks.  It was followed by a panel session in which all the panelists (the speakers were joined by David Orrell of Eduserv for the panel) gave their views on where OpenID is likely to go over the next couple of years.  There was some interesting discussion.

Overall, the day was a good one.  I'm not sure we met all our objectives and the were certainly unresolved issues that need further discussion - around trust for example.  It was also noted that OpenID remains largely in the realm of the techies at the moment.  It needs to move beyond that, to become usable and understandable by ordinary people.  I would also have liked us to to unpick further the issues around OpenID as a "pipe" vs OpenID as an "identifier".  That said, one message came through loud and clear - that institutions should begin thinking about offering all their members an institutional OpenID.


TrackBack URL for this entry:

Listed below are links to weblogs that reference OpenID - every student should have one:


It is a bit naive to discuss OpenID without noting that it is a notably insecure protocol.

See Ben Laurie's notes at http://www.links.org/?p=187 and his later discussion of the protocol with me here http://lists.laptop.org/pipermail/server-devel/2007-July/000083.html

Ben is one of the key guys behind Apache's SSL support. Even so -- I am implementing OpenID in Moodle mainly for the OLPC project, which will have a special environment preventing these known attacks. But for the vanilla Moodle it will come with huge warning signs ;-)

I'd agree - every student should have one for a number of reasons - it makes the possibility of loosely coupled systems more of a reality (http://nogoodreason.typepad.co.uk/no_good_reason/2007/11/the-vlelms-is-d.html) and increasingly it seems to me that educational institutions are just not as good at providing IT services. So openID is a means of outsourcing authentication to people who will put more effort in to it. It lacks the roles and permissions though we need in HE, so there is still the need for some university system, or a meta API that sits on top of openID

The comments to this entry are closed.



eFoundations is powered by TypePad