OpenID is a distributed authentication model. It is designed to work primarily in the context of web browsers and web servers, with the goal of individual users not needing to maintain separate accounts on every single service they use.
In the abstract, OpenID is similar to SAML, or to a very widely cross-domain-trust implementation of kerberos.
- from the user's point of view, everything seems fairly clear (if it's well-implemented). they go to log into a site, are redirected to their home authentication domain, and then are redirected back to the site they were trying to authenticate to, now successfully authenticated.
- Massive distributed trust problems: how does each server know that it's talking to the correct OpenID server? What kinds of spoofing are possible?
- browsers are buggy, steaming piles of code -- relying on them to handle all authentication is sketchy at best.
- the protocol is new, and implementations don't seem to be perfectly interoperable yet
- mod_auth_openid: an apache module to authenticate against OpenID services