I read Dion Almaer's post about moving the responsibility for authentication from the website into the web browser itself with great interest.
What I really want is for the browser to [sign in] for me. If a site groks OpenID the browser should be able to pass that over without having me intervene at all. It could hide the entire login process if we came up with a microformat to let all sides know what is going on.
Yes! That's exactly what we need. You log in once at the start of your browsing session and from then on all that's required is a simple "Do you want to tell this site who you are? Yes/No" dialog box each time a site requests your identity. This would also neatly work around the phishing problem as the browser sign in mechanism would presumably be fashioned in such a way as to be unfakeable by a website. And if it was all done through microformats it would degrade gracefully in older browsers. In fact it shouldn't be too hard to come up with a Firefox extension to do it once the APIs are sorted out. James Henstridge also talks about client-side Open ID but I think he's looking at it the wrong way.
So it certainly looks like it is possible to migrate almost everything to the client side. That still leaves open the question of whether you’d actually want to do this, since it effectively makes your identity unavailable when away from a computer with the extension installed.
The aim is not to move everything to the client side but rather to allow the browser to mediate the authentication process between the relying party (RP) and the OpenID provider (OP) PS I remembered that VeriSign have an OpenID extension of Firefox called SeatBelt. I tried it out but as far as I can tell all it does is provide phishing protection by redirecting users to their OpenID provider to authenticate before signing in to the relying party. Still, it could be a starting point for a more complete client-side OpenID implementation.
