Identifier portability: the fundamental issue
Hans Granqvist
hgranqvist at verisign.com
Mon Oct 16 17:47:09 UTC 2006
Chris Drake wrote:
> There seem to be a lot of people on this list who want to hate and
> loathe the IdP, and grant all power to the RP. I do not understand
> this reasoning: our users will select the IdP they trust and like,
> then they will be using a multitude of possibly hostile RPs
> thereafter: the reverse is simply not true.
My assumption (which I am careful to not proclaim as truth) is that
there won't be many IDPs around once the OpenID dust settles.
Sure, there will be the run-in-the-basement ones, but for
business-critical needs an IDP must spend a lot of money: maintain
provable privacy of data, keep uptime, supply enriched services related
to stored data, etc.
Today's main internet companies can afford to invest in that, and they
will also probably compete by adding OpenID access to their existing
user base.
Furthermore, many RPs will require a user to have an account with one or
a few of these mega-IDPs. If there's money at stake, the RP would want
to minimize risk. It's all about RP peace of mind. So few small IDPs
will survive. Feel free to compare search engines and
how a few big companies have all but obliterated the market.
Hostile RPs are easy to handle. You just take your business elsewhere.
But if an IDP decides to boot you when you're no longer indirectly
promoting them using their identity URLs, you could stand to lose quite
a lot.
Hans
More information about the specs
mailing list