I’ve been waiting for the first OpenID provider to offer a certificate based, no password ever, service. Not an SSL service, a certficate authentication based service. That is, a service that simply puts a certificate in your database and uses that to authenticate you. Browsers are well versed in the art of the certificate these days, they have had a while to eek out the rough spots. Auto-installation of certificates from a web page is possible and that allows a pretty seemless experience for sign up and “log in.” Prooveme.com very nearly, almost, but not quite gets it right. When I signed up and briefly tested the service I noted three rather serious problems:

  1. I had to click through a certificate security alert dialog because they used a self signed certificate for the page that installs the user certificate. It is just fine to use self signed certificates for user identification in this case, in fact it is the perfect use case, but I should know who is giving me the certificate and I shouldn’t be trained any further in bad browsing habits. Their users are surely worth a $20 certificate.
  2. Upon signing up for a site I discover that I am not asked if I have authorized the site to identify me. If I log in to a site for the first time I want to be alerted to that fact. There needs to be some level of control here so that I can decide to be auto-logged in to a particular site.
  3. After recovering from the shock of being logged in straight away, I noticed my name had been given up too! That is, er, not cool.

I’m a forgiving sort though, so I shall take comfort in the knowledge that this is a relatively new service and it is still working on these things. Clearing up these issues will get us all a whole lot closer to the ideal provider set up, and I think, the minimum required security for the use of OpenID by anyone who cares about their identity.