[OpenID] For the nominees

[Eran Hammer-Lahav]

1. Adoption of OpenID by relying parties isn't on-par with the amount of providers available. How would you improve that ratio?

By listening to what RPs want and make sure OpenID offers them real value while also reducing the friction and risk they take by adopting it. There are a few dedicated community members here (some are board members) that have done just that. The recent meeting with news sites is such example, and the resulting attempts by Google, Yahoo, and Messina to study the impact on end users.

Like any other technology, OpenID needs a strong developers community (individuals or commercial) which is able to build quality products based on the OpenID. But there is a chicken and egg problem of without demand, there will be no market for developers, and without developers many companies will not feel confident in this technology. I would stay away from creating an OpenID certification program for developers but will try to work with companies that already offer such programs (Microsoft MCP is one example) to see if they can add such certificate.

But the number of OPs is actually very misleading. I would not really count AOL, Yahoo, Google, and Microsoft as reaching the same level of *user-recognition* as myopenid.com and pip.verisignlabs.com, or even iNames (yes, I said it). Why? Because much less than 1% of their users know about it, and much much less uses it. OPs need to do a lot more to promote the federated use cases of their identity service, and build a product that end users want.

Key area for the board to invest resources in is continues research. One way to do it well is by building alliances with academic institutions and setting multi-year pacts.

2. What is it that should be done in order to have big providers like Google, Yahoo!, Microsoft rely on other operators?

You mean become RPs? Each is different, but the two main blockers are existing infrastructure and legal. There is little the board can do on the infrastructure side as each company has its own, usually secretive architecture. But there is some work that can be done on the legal side to try and address the legal concerns, especially with international law, about protecting resources with another vendor's OpenID.

Again, the best approach is to simply ask these companies, probably not on general at . I would sit with all these companies, add Facebook, MySpace, and others to the mix and get a list of their top 5 blockers. Some of them will be addressed directly by the board, but most I expect to be addressed by the community in the form of new specs.

There is of course the "gay marriage" version of this strategy (going for the hardest right rather than asking for smaller concessions over time). Instead of going to providers with increasing degree of complexity, go directly to the online consumer banking companies and work with them to address every simple security and usability concern they have. Come up with a technical recommendation written by board hired/selected experts, and then pass that to the community for consideration and specification. Get the banks on board and the rest will follow.

3. Do you think that a trust relationship framework should be created, similar to PKI auditing (or any other/similar idea) in order to allow relying parties easily trust on other operators? Or what would you suggest instead?

This is a technical question I do not think belongs in the board. The board can facilitate a study or discussion, or even proactively form a working group to deal with the use cases, but ultimately this is not something you should look to the board to solve.

But since you asked, I would take a step back and instead ask RPs what their actual threat model is. What are their security related concerns and how do they address them today. It is absolutely wrong to try and solve a generic security problem. Some will argue that turning your computer off, dumping it into a 30' hole in the ground, pouring concrete over it, some explosives, nerve gas, and some more concrete - is still open for attacks. The question is, from what?

4. Do you think that instead of hiring an executive director, the load of the different tasks could be shifted to a small group of different persons instead (foundation management)? Would you view a such a scenario possible and perhaps more efficient? (Considering the amount to be paid for an ED, I suspect that many highly motivated and capable individuals from within the community or from outside could do a better job than one individual and receive fair compensation for their work.)

I was never clear what is the purpose of having a part-time ED. I am not saying it is the wrong idea, just that I personally do not know what the job is designed to accomplish (based on observing what *has been* accomplished so far). At the same time, saving money on ED and dumping whatever responsibilities actually exist on volunteers is very tricky. As we all know, talk is cheap. Take a look at this list of how many times people complained about something and how many of those ended up doing something. Not very promising.

I would like to take a step back and ask the fundamental question of what is the role of the foundation vs. the community? What is the foundation trying to accomplish? From there you work your way up towards the best and most effective way to accomplish that. Is hiring an ED the best way? Maybe. But until we have clarity on exactly what it is the foundation is for, I don't think your question can be answered.

One the biggest area of confusion here has always been that people conflate the foundation with the community with the spec with the technology and with the brand. It is all "one big thing". But it is really not. OpenID 2.0 was created by the community without a foundation. The foundation came about as mostly a legal solution to address concerns by community members and big corporations (I wasn't there so do not know the balance of needs in those discussions). If that is all it is meant to be, I would say it is doing its job. We didn't have any real IP issues (which is in some way like saying Bush was a great president as there were no other terror attacks after 9/11).

Hope this helps.

EHL