[OpenID] Exchange could be a strategic error -- if done now rather than later...
bob at wyman.us
Mon Jan 15 22:08:30 UTC 2007
I know this will sound like heresy... However, I would like to say that I'm
very concerned that OpenID may get more complex than is good for it before
it is widely accepted. The initial implementations of OpenID (LiveJournal,
etc.) have done one thing -- support login to multiple sites with a single
identity -- and done it reasonably well. Thus, as all identity systems must,
OpenID has started with means to establish and assert numerical identity (
i.e. the property that distinguishes one entity from all others and permits
"counting."). In providing portable numerical identity, OpenID has
accomplished a great deal and provides something (like SSO) that will be
valued by many users.
However, we've already seen that bringing in XRI and i-names (which is much
concerned with qualitative, not numerical, identity) has caused some
confusion and complexity that is hard to justify given the precarious degree
of market acceptance at this time. Pushing ahead to support exchange of
qualitative attributes as a core feature of OpenID is likely to cause even
more confusion as well as expose the inevitable unintended attack points.
Just as OpenID is somewhat sullied by debate over aspects of i-names, we'll
find that the basic "identity" portion of OpenID is weakened by debates over
attribute exchange and other capabilities that should properly layer on the
simple base. Debate over "higher layers" may weaken acceptance of the lower
I suggest (although I'm not sure I have much hope that the suggestion will
be taken up) that the "OpenID Community" should do its best to resist the
temptation to add new capabilities to what is already there until after
there is substantial acceptance of what is there now. We've waited too long
to get a decent identity system in place and I'm sure we're all frustrated
and anxious to deploy as much technology as we can as fast as we can. But,
the reality is that going slow, one step at a time, is probably more likely
to be the path to success. Others have tried -- and failed -- to deliver
"complete" solutions to the identity problem in the past. Let's not follow
that well trod path.
I think we should be putting 100% of our efforts into talking every
significant online property to accept OpenID for "login identity" and on
working out solutions to the various phishing, spoofing, etc. issues. The
goal should be to reduce, as much as possible, objections to adopting the
base capabilities so that we can have a solid, widely deployed base on which
to build other capabilities. Once we get to the point where the base is
broadly known to the general user (even your grandmother), that is the time
to push ahead with more stuff. Let's build on a solid foundation... Let's
not move too much faster than the market.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general